diff --git a/README.md b/README.md index c528a05..60058e3 100644 --- a/README.md +++ b/README.md @@ -1 +1,329 @@ # xoxys.auditd + +[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd) +[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE) + +Setup the Linux Auditing System. + +## Table of content + +- [Requirements](#requirements) +- [Default Variables](#default-variables) + - [auditd_action_mail_acct](#auditd_action_mail_acct) + - [auditd_admin_space_left_action](#auditd_admin_space_left_action) + - [auditd_buffer_size](#auditd_buffer_size) + - [auditd_config_immutable](#auditd_config_immutable) + - [auditd_exclude_rule_stages](#auditd_exclude_rule_stages) + - [auditd_failure_mode](#auditd_failure_mode) + - [auditd_filter_rules_default](#auditd_filter_rules_default) + - [auditd_filter_rules_extra](#auditd_filter_rules_extra) + - [auditd_main_rules_default](#auditd_main_rules_default) + - [auditd_main_rules_extra](#auditd_main_rules_extra) + - [auditd_max_log_file](#auditd_max_log_file) + - [auditd_max_log_file_action](#auditd_max_log_file_action) + - [auditd_num_logs](#auditd_num_logs) + - [auditd_optional_rules_default](#auditd_optional_rules_default) + - [auditd_optional_rules_extra](#auditd_optional_rules_extra) + - [auditd_reboot_on_change](#auditd_reboot_on_change) + - [auditd_refuse_manual_stop](#auditd_refuse_manual_stop) + - [auditd_space_left_action](#auditd_space_left_action) +- [Dependencies](#dependencies) +- [License](#license) +- [Author](#author) + +--- + +## Requirements + +- Minimum Ansible version: `2.10` + +## Default Variables + +### auditd_action_mail_acct + +#### Default value + +```YAML +auditd_action_mail_acct: root +``` + +### auditd_admin_space_left_action + +#### Default value + +```YAML +auditd_admin_space_left_action: halt +``` + +### auditd_buffer_size + +#### Default value + +```YAML +auditd_buffer_size: 8192 +``` + +### auditd_config_immutable + +The auditd daemon is configured to use the augenrules program to read audit rules during +daemon startup (the default), use this option to make the auditd configuration immutable. + +#### Default value + +```YAML +auditd_config_immutable: false +``` + +### auditd_exclude_rule_stages + +There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: +10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize + +#### Default value + +```YAML +auditd_exclude_rule_stages: [] +``` + +#### Example usage + +```YAML +auditd_exclude_rule_stages: + - 10-start.rules + - 90-finalize +``` + +### auditd_failure_mode + +Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system) + +#### Default value + +```YAML +auditd_failure_mode: 1 +``` + +### auditd_filter_rules_default + +#### Default value + +```YAML +auditd_filter_rules_default: + - comment: Ignore current working directory records + rule: -a always,exclude -F msgtype=CWD + - comment: Ignore EOE records (End Of Event, not needed) + rule: -a always,exclude -F msgtype=EOE + - comment: Cron jobs fill the logs with stuff we normally don't want + rule: + - -a never,user -F subj_type=crond_t + - -a exit,never -F subj_type=crond_t + - comment: This is not very interesting and wastes a lot of space if the server + is public facing + rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER + - comment: High Volume Event Filter + rule: + - -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess + - -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess + - -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm + - -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm +``` + +### auditd_filter_rules_extra + +#### Default value + +```YAML +auditd_filter_rules_extra: [] +``` + +#### Example usage + +```YAML +auditd_filter_rules_extra: + - comment: Ignore current working directory records # defaults to not set + rule: '-a always,exclude -F msgtype=CWD' # can be list or string + state: present # defaults to present +``` + +### auditd_main_rules_default + +#### Default value + +```YAML +auditd_main_rules_default: + - comment: CIS 4.1.3.1 - Changes to system administration scope + rule: + - -w /etc/sudoers -p wa -k actions + - -w /etc/sudoers.d/ -p wa -k actions + - comment: CIS 4.1.3.4 - Events that modify date and time information + rule: + - -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change + - -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k + time_change + - -w /etc/localtime -p wa -k time-change + - comment: CIS 4.1.3.5 - Changes to the network environment + rule: + - -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale + - -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale + - -w /etc/issue -p wa -k system-locale + - -w /etc/issue.net -p wa -k system-locale + - -w /etc/hosts -p wa -k system-locale + - -w /etc/sysconfig/network -p wa -k system-locale + - -w /etc/sysconfig/network-scripts/ -p wa -k system-locale + - comment: CIS 4.1.3.7 - Unsuccessful file access attempts + rule: + - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES + -F auid>=1000 -F auid!=unset -k access + - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM + -F auid>=1000 -F auid!=unset -k access + - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES + -F auid>=1000 -F auid!=unset -k access + - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM + -F auid>=1000 -F auid!=unset -k access + - comment: CIS 4.1.3.8 - Modify user/group information + rule: + - -w /etc/group -p wa -k identity + - -w /etc/passwd -p wa -k identity + - -w /etc/gshadow -p wa -k identity + - -w /etc/shadow -p wa -k identity + - -w /etc/security/opasswd -p wa -k identity + - comment: CIS 4.1.3.9 - Discretionary access control permission modifications + rule: + - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset + -F key=perm_mod + - -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F + auid!=unset -F key=perm_mod + - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset + -F key=perm_mod + - -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F + auid!=unset -F key=perm_mod + - -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr + -F auid>=1000 -F auid!=unset -F key=perm_mod + - -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr + -F auid>=1000 -F auid!=unset -F key=perm_mod + - comment: CIS 4.1.3.10 - Successful file system mounts + rule: + - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + - comment: CIS 4.1.3.11 - Session initiation information + rule: + - -w /var/run/utmp -p wa -k session + - -w /var/log/wtmp -p wa -k logins + - -w /var/log/btmp -p wa -k logins + - comment: CIS 4.1.3.12 - Login and logout events + rule: + - -w /var/log/lastlog -p wa -k logins + - -w /var/log/tallylog -p wa -k logins + - -w /var/run/faillock -p wa -k logins + - comment: CIS 4.1.3.13 - File deletion events by users + rule: + - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 + -F auid!=unset -k delete + - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 + -F auid!=unset -k delete + - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls + rule: + - -w /etc/selinux/ -p wa -k MAC-policy + - -w /usr/share/selinux/ -p wa -k MAC-policy + - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification + rule: + - -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 + -F auid!=unset -k kernel_modules + - -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 + -F auid!=unset -k kernel_modules + - -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules + - -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules + - -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset + -k kernel_modules +``` + +### auditd_main_rules_extra + +#### Default value + +```YAML +auditd_main_rules_extra: [] +``` + +### auditd_max_log_file + +Maximum size of a single logfile (MB) + +#### Default value + +```YAML +auditd_max_log_file: 10 +``` + +### auditd_max_log_file_action + +#### Default value + +```YAML +auditd_max_log_file_action: rotate +``` + +### auditd_num_logs + +Number of logs to keep + +#### Default value + +```YAML +auditd_num_logs: 5 +``` + +### auditd_optional_rules_default + +#### Default value + +```YAML +auditd_optional_rules_default: [] +``` + +### auditd_optional_rules_extra + +#### Default value + +```YAML +auditd_optional_rules_extra: [] +``` + +### auditd_reboot_on_change + +#### Default value + +```YAML +auditd_reboot_on_change: false +``` + +### auditd_refuse_manual_stop + +This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. +For security reasons, this option should only be disabled for testing purposes. + +#### Default value + +```YAML +auditd_refuse_manual_stop: true +``` + +### auditd_space_left_action + +#### Default value + +```YAML +auditd_space_left_action: email +``` + +## Dependencies + +None. + +## License + +MIT + +## Author + +[Robert Kaussow](https://gitea.rknet.org/xoxys)