xoxys.auditd/README.md

330 lines
9.5 KiB
Markdown

# xoxys.auditd
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
Setup the Linux Auditing System.
## Table of content
- [Requirements](#requirements)
- [Default Variables](#default-variables)
- [auditd_action_mail_acct](#auditd_action_mail_acct)
- [auditd_admin_space_left_action](#auditd_admin_space_left_action)
- [auditd_buffer_size](#auditd_buffer_size)
- [auditd_config_immutable](#auditd_config_immutable)
- [auditd_exclude_rule_stages](#auditd_exclude_rule_stages)
- [auditd_failure_mode](#auditd_failure_mode)
- [auditd_filter_rules_default](#auditd_filter_rules_default)
- [auditd_filter_rules_extra](#auditd_filter_rules_extra)
- [auditd_main_rules_default](#auditd_main_rules_default)
- [auditd_main_rules_extra](#auditd_main_rules_extra)
- [auditd_max_log_file](#auditd_max_log_file)
- [auditd_max_log_file_action](#auditd_max_log_file_action)
- [auditd_num_logs](#auditd_num_logs)
- [auditd_optional_rules_default](#auditd_optional_rules_default)
- [auditd_optional_rules_extra](#auditd_optional_rules_extra)
- [auditd_reboot_on_change](#auditd_reboot_on_change)
- [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
- [auditd_space_left_action](#auditd_space_left_action)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)
---
## Requirements
- Minimum Ansible version: `2.10`
## Default Variables
### auditd_action_mail_acct
#### Default value
```YAML
auditd_action_mail_acct: root
```
### auditd_admin_space_left_action
#### Default value
```YAML
auditd_admin_space_left_action: halt
```
### auditd_buffer_size
#### Default value
```YAML
auditd_buffer_size: 8192
```
### auditd_config_immutable
The auditd daemon is configured to use the augenrules program to read audit rules during
daemon startup (the default), use this option to make the auditd configuration immutable.
#### Default value
```YAML
auditd_config_immutable: false
```
### auditd_exclude_rule_stages
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
#### Default value
```YAML
auditd_exclude_rule_stages: []
```
#### Example usage
```YAML
auditd_exclude_rule_stages:
- 10-start.rules
- 90-finalize
```
### auditd_failure_mode
Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
#### Default value
```YAML
auditd_failure_mode: 1
```
### auditd_filter_rules_default
#### Default value
```YAML
auditd_filter_rules_default:
- comment: Ignore current working directory records
rule: -a always,exclude -F msgtype=CWD
- comment: Ignore EOE records (End Of Event, not needed)
rule: -a always,exclude -F msgtype=EOE
- comment: Cron jobs fill the logs with stuff we normally don't want
rule:
- -a never,user -F subj_type=crond_t
- -a exit,never -F subj_type=crond_t
- comment: This is not very interesting and wastes a lot of space if the server
is public facing
rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
- comment: High Volume Event Filter
rule:
- -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
- -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
```
### auditd_filter_rules_extra
#### Default value
```YAML
auditd_filter_rules_extra: []
```
#### Example usage
```YAML
auditd_filter_rules_extra:
- comment: Ignore current working directory records # defaults to not set
rule: '-a always,exclude -F msgtype=CWD' # can be list or string
state: present # defaults to present
```
### auditd_main_rules_default
#### Default value
```YAML
auditd_main_rules_default:
- comment: CIS 4.1.3.1 - Changes to system administration scope
rule:
- -w /etc/sudoers -p wa -k actions
- -w /etc/sudoers.d/ -p wa -k actions
- comment: CIS 4.1.3.4 - Events that modify date and time information
rule:
- -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
- -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k
time_change
- -w /etc/localtime -p wa -k time-change
- comment: CIS 4.1.3.5 - Changes to the network environment
rule:
- -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
- -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
- -w /etc/issue -p wa -k system-locale
- -w /etc/issue.net -p wa -k system-locale
- -w /etc/hosts -p wa -k system-locale
- -w /etc/sysconfig/network -p wa -k system-locale
- -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
- comment: CIS 4.1.3.7 - Unsuccessful file access attempts
rule:
- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
-F auid>=1000 -F auid!=unset -k access
- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
-F auid>=1000 -F auid!=unset -k access
- comment: CIS 4.1.3.8 - Modify user/group information
rule:
- -w /etc/group -p wa -k identity
- -w /etc/passwd -p wa -k identity
- -w /etc/gshadow -p wa -k identity
- -w /etc/shadow -p wa -k identity
- -w /etc/security/opasswd -p wa -k identity
- comment: CIS 4.1.3.9 - Discretionary access control permission modifications
rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
-F key=perm_mod
- -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
auid!=unset -F key=perm_mod
- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
-F key=perm_mod
- -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
auid!=unset -F key=perm_mod
- -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-F auid>=1000 -F auid!=unset -F key=perm_mod
- -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-F auid>=1000 -F auid!=unset -F key=perm_mod
- comment: CIS 4.1.3.10 - Successful file system mounts
rule:
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- comment: CIS 4.1.3.11 - Session initiation information
rule:
- -w /var/run/utmp -p wa -k session
- -w /var/log/wtmp -p wa -k logins
- -w /var/log/btmp -p wa -k logins
- comment: CIS 4.1.3.12 - Login and logout events
rule:
- -w /var/log/lastlog -p wa -k logins
- -w /var/log/tallylog -p wa -k logins
- -w /var/run/faillock -p wa -k logins
- comment: CIS 4.1.3.13 - File deletion events by users
rule:
- -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000
-F auid!=unset -k delete
- -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000
-F auid!=unset -k delete
- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
rule:
- -w /etc/selinux/ -p wa -k MAC-policy
- -w /usr/share/selinux/ -p wa -k MAC-policy
- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
rule:
- -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000
-F auid!=unset -k kernel_modules
- -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000
-F auid!=unset -k kernel_modules
- -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
- -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules
- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
-k kernel_modules
```
### auditd_main_rules_extra
#### Default value
```YAML
auditd_main_rules_extra: []
```
### auditd_max_log_file
Maximum size of a single logfile (MB)
#### Default value
```YAML
auditd_max_log_file: 10
```
### auditd_max_log_file_action
#### Default value
```YAML
auditd_max_log_file_action: rotate
```
### auditd_num_logs
Number of logs to keep
#### Default value
```YAML
auditd_num_logs: 5
```
### auditd_optional_rules_default
#### Default value
```YAML
auditd_optional_rules_default: []
```
### auditd_optional_rules_extra
#### Default value
```YAML
auditd_optional_rules_extra: []
```
### auditd_reboot_on_change
#### Default value
```YAML
auditd_reboot_on_change: false
```
### auditd_refuse_manual_stop
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
For security reasons, this option should only be disabled for testing purposes.
#### Default value
```YAML
auditd_refuse_manual_stop: true
```
### auditd_space_left_action
#### Default value
```YAML
auditd_space_left_action: email
```
## Dependencies
None.
## License
MIT
## Author
[Robert Kaussow](https://gitea.rknet.org/xoxys)