---
# @var auditd_exclude_rule_stages:description: >
# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
auditd_exclude_rule_stages: []

# @var auditd_refuse_manual_stop:description: >
# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
# For security reasons, this option should only be disabled for testing purposes.
auditd_refuse_manual_stop: True

# @var auditd_config_immutable:description: >
# The auditd daemon is configured to use the augenrules program to read audit rules during
# daemon startup (the default), use this option to make the auditd configuration immutable.
auditd_config_immutable: False

auditd_buffer_size: 8192
# @var auditd_failure_mode:description: >
# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
auditd_failure_mode: 1

# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
auditd_max_log_file: 10
# @var auditd_num_logs:description: Number of logs to keep
auditd_num_logs: 5

auditd_space_left_action: SYSLOG
auditd_action_mail_acct: root
auditd_admin_space_left_action: SUSPEND

auditd_max_log_file_action: ROTATE

# @var auditd_filter_rules_extra:example: >
# auditd_filter_rules_extra:
#   - comment: Ignore current working directory records # defaults to not set
#     rule: '-a always,exclude -F msgtype=CWD' # can be list or string
#     state: present # defaults to present
auditd_filter_rules_default:
  - comment: Ignore current working directory records
    rule: "-a always,exclude -F msgtype=CWD"
  - comment: Ignore EOE records (End Of Event, not needed)
    rule: "-a always,exclude -F msgtype=EOE"
  - comment: Cron jobs fill the logs with stuff we normally don't want
    rule:
      - "-a never,user -F subj_type=crond_t"
      - "-a exit,never -F subj_type=crond_t"
  - comment: This is not very interesting and wastes a lot of space if the server is public facing
    rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
  - comment: High Volume Event Filter
    rule:
      - "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
      - "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
      - "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
      - "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"

auditd_filter_rules_extra: []

auditd_main_rules_default:
  - comment: CIS 4.1.4 - Changes to the time
    rule:
      - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
      - "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
      - "-a always,exit -F arch=b64 -S clock_settime -k time-change"
      - "-a always,exit -F arch=b32 -S clock_settime -k time-change"
      - "-w /etc/localtime -p wa -k time-change"
  - comment: CIS 4.1.5 - Changes to user/group information
    rule:
      - "-w /etc/group -p wa -k identity"
      - "-w /etc/passwd -p wa -k identity"
      - "-w /etc/gshadow -p wa -k identity"
      - "-w /etc/shadow -p wa -k identity"
      - "-w /etc/security/opasswd -p wa -k identity"
  - comment: CIS 4.1.6 - Changes to the network environment
    rule:
      - "-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale"
      - "-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale"
      - "-w /etc/issue -p wa -k system-locale"
      - "-w /etc/issue.net -p wa -k system-locale"
      - "-w /etc/hosts -p wa -k system-locale"
      - "-w /etc/network -p wa -k system-locale"
  - comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls
    rule:
      - "-w /etc/apparmor/ -p wa -k MAC-policy"
      - "-w /etc/apparmor.d/ -p wa -k MAC-policy"
  - comment: CIS 4.1.8 - Log login/logout events
    rule:
      - "-w /var/log/faillog -p wa -k logins"
      - "-w /var/log/lastlog -p wa -k logins"
      - "-w /var/log/tallylog -p wa -k logins"
  - comment: CIS 4.1.9 - Log session initiation information
    rule:
      - "-w /var/run/utmp -p wa -k session"
      - "-w /var/log/wtmp -p wa -k logins"
      - "-w /var/log/btmp -p wa -k logins"
  - comment: CIS 4.1.10 - Log Discretionary Access Control modifications
    rule:
      - "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
      - "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
      - "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
      - "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
      - "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
      - "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
  - comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts
    rule:
      - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
      - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
      - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
      - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
  - comment: CIS 4.1.13 - Log successful file system mounts
    rule:
      - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
      - "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
  - comment: CIS 4.1.14 - Log file deletion Events by User
    rule:
      - "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
      - "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
  - comment: CIS 4.1.15 - Log changes to sudoers
    rule:
      - "-w /etc/sudoers -p wa -k scope"
      - "-w /etc/sudoers.d/ -p wa -k scope"
  - comment: CIS 4.1.16 - Log sudolog
    rule:
      - "-w /var/log/sudo.log -p wa -k actions"
  - comment: CIS 4.1.17 - Log kernel module actions
    rule:
      - "-w /sbin/insmod -p x -k modules"
      - "-w /sbin/rmmod -p x -k modules"
      - "-w /sbin/modprobe -p x -k modules"
      - "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"

auditd_main_rules_extra: []

auditd_optional_rules_default: []
auditd_optional_rules_extra: []