| .woodpecker | ||
| defaults | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates/etc | ||
| vars | ||
| .gitignore | ||
| .markdownlint.yml | ||
| .prettierignore | ||
| .yamllint | ||
| LICENSE | ||
| pyproject.toml | ||
| README.md | ||
| requirements.yml | ||
xoxys.auditd
Setup the Linux Auditing System.
Table of content
- Requirements
- Default Variables
- auditd_action_mail_acct
- auditd_admin_space_left_action
- auditd_buffer_size
- auditd_config_immutable
- auditd_exclude_rule_stages
- auditd_failure_mode
- auditd_filter_rules_default
- auditd_filter_rules_extra
- auditd_main_rules_default
- auditd_main_rules_extra
- auditd_max_log_file
- auditd_max_log_file_action
- auditd_num_logs
- auditd_optional_rules_default
- auditd_optional_rules_extra
- auditd_reboot_on_change
- auditd_refuse_manual_stop
- auditd_space_left_action
- Dependencies
- License
- Author
Requirements
- Minimum Ansible version:
2.10
Default Variables
auditd_action_mail_acct
Default value
auditd_action_mail_acct: root
auditd_admin_space_left_action
Default value
auditd_admin_space_left_action: halt
auditd_buffer_size
Default value
auditd_buffer_size: 8192
auditd_config_immutable
The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
Default value
auditd_config_immutable: false
auditd_exclude_rule_stages
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
Default value
auditd_exclude_rule_stages: []
Example usage
auditd_exclude_rule_stages:
- 10-start.rules
- 90-finalize
auditd_failure_mode
Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
Default value
auditd_failure_mode: 1
auditd_filter_rules_default
Default value
auditd_filter_rules_default:
- comment: Ignore current working directory records
rule: -a always,exclude -F msgtype=CWD
- comment: Ignore EOE records (End Of Event, not needed)
rule: -a always,exclude -F msgtype=EOE
- comment: Cron jobs fill the logs with stuff we normally don't want
rule:
- -a never,user -F subj_type=crond_t
- -a exit,never -F subj_type=crond_t
- comment: This is not very interesting and wastes a lot of space if the server
is public facing
rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
- comment: High Volume Event Filter
rule:
- -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
- -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
auditd_filter_rules_extra
Default value
auditd_filter_rules_extra: []
Example usage
auditd_filter_rules_extra:
- comment: Ignore current working directory records # defaults to not set
rule: '-a always,exclude -F msgtype=CWD' # can be list or string
state: present # defaults to present
auditd_main_rules_default
Default value
auditd_main_rules_default:
- comment: CIS 4.1.3.1 - Changes to system administration scope
rule:
- -w /etc/sudoers -p wa -k actions
- -w /etc/sudoers.d/ -p wa -k actions
- comment: CIS 4.1.3.4 - Events that modify date and time information
rule:
- -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
- -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k
time_change
- -w /etc/localtime -p wa -k time-change
- comment: CIS 4.1.3.5 - Changes to the network environment
rule:
- -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
- -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
- -w /etc/issue -p wa -k system-locale
- -w /etc/issue.net -p wa -k system-locale
- -w /etc/hosts -p wa -k system-locale
- -w /etc/sysconfig/network -p wa -k system-locale
- -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
- comment: CIS 4.1.3.7 - Unsuccessful file access attempts
rule:
- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
-F auid>=1000 -F auid!=unset -k access
- comment: CIS 4.1.3.8 - Modify user/group information
rule:
- -w /etc/group -p wa -k identity
- -w /etc/passwd -p wa -k identity
- -w /etc/gshadow -p wa -k identity
- -w /etc/shadow -p wa -k identity
- -w /etc/security/opasswd -p wa -k identity
- comment: CIS 4.1.3.9 - Discretionary access control permission modifications
rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
-F key=perm_mod
- -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
auid!=unset -F key=perm_mod
- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
-F key=perm_mod
- -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
auid!=unset -F key=perm_mod
- -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-F auid>=1000 -F auid!=unset -F key=perm_mod
- -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-F auid>=1000 -F auid!=unset -F key=perm_mod
- comment: CIS 4.1.3.10 - Successful file system mounts
rule:
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- comment: CIS 4.1.3.11 - Session initiation information
rule:
- -w /var/run/utmp -p wa -k session
- -w /var/log/wtmp -p wa -k logins
- -w /var/log/btmp -p wa -k logins
- comment: CIS 4.1.3.12 - Login and logout events
rule:
- -w /var/log/lastlog -p wa -k logins
- -w /var/log/tallylog -p wa -k logins
- -w /var/run/faillock -p wa -k logins
- comment: CIS 4.1.3.13 - File deletion events by users
rule:
- -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000
-F auid!=unset -k delete
- -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000
-F auid!=unset -k delete
- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
rule:
- -w /etc/selinux/ -p wa -k MAC-policy
- -w /usr/share/selinux/ -p wa -k MAC-policy
- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
rule:
- -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000
-F auid!=unset -k kernel_modules
- -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000
-F auid!=unset -k kernel_modules
- -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
- -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules
- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
-k kernel_modules
auditd_main_rules_extra
Default value
auditd_main_rules_extra: []
auditd_max_log_file
Maximum size of a single logfile (MB)
Default value
auditd_max_log_file: 10
auditd_max_log_file_action
Default value
auditd_max_log_file_action: rotate
auditd_num_logs
Number of logs to keep
Default value
auditd_num_logs: 5
auditd_optional_rules_default
Default value
auditd_optional_rules_default: []
auditd_optional_rules_extra
Default value
auditd_optional_rules_extra: []
auditd_reboot_on_change
Default value
auditd_reboot_on_change: false
auditd_refuse_manual_stop
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
Default value
auditd_refuse_manual_stop: true
auditd_space_left_action
Default value
auditd_space_left_action: email
Dependencies
None.
License
MIT