Robert Kaussow
d9ffea8a8f
Author: Robert Kaussow <mail@thegeeklab.de>
Date: Sat Sep 24 16:30:28 2022 +0200
add minimal test to molecule
9.3 KiB
9.3 KiB
| title | type |
|---|---|
| auditd | docs |
Setup the Linux Auditing System.
- Default Variables
- auditd_action_mail_acct
- auditd_admin_space_left_action
- auditd_buffer_size
- auditd_config_immutable
- auditd_exclude_rule_stages
- auditd_failure_mode
- auditd_filter_rules_default
- auditd_filter_rules_extra
- auditd_main_rules_default
- auditd_main_rules_extra
- auditd_max_log_file
- auditd_max_log_file_action
- auditd_num_logs
- auditd_optional_rules_default
- auditd_optional_rules_extra
- auditd_refuse_manual_stop
- auditd_space_left_action
- Dependencies
Default Variables
auditd_action_mail_acct
Default value
auditd_action_mail_acct: root
auditd_admin_space_left_action
Default value
auditd_admin_space_left_action: SUSPEND
auditd_buffer_size
Default value
auditd_buffer_size: 8192
auditd_config_immutable
The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
Default value
auditd_config_immutable: false
auditd_exclude_rule_stages
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
Default value
auditd_exclude_rule_stages: []
Example usage
auditd_exclude_rule_stages:
- 10-start.rules
- 90-finalize
auditd_failure_mode
Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
Default value
auditd_failure_mode: 1
auditd_filter_rules_default
Default value
auditd_filter_rules_default:
- comment: Ignore current working directory records
rule: -a always,exclude -F msgtype=CWD
- comment: Ignore EOE records (End Of Event, not needed)
rule: -a always,exclude -F msgtype=EOE
- comment: Cron jobs fill the logs with stuff we normally don't want
rule:
- -a never,user -F subj_type=crond_t
- -a exit,never -F subj_type=crond_t
- comment: This is not very interesting and wastes a lot of space if the server
is public facing
rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
- comment: High Volume Event Filter
rule:
- -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
- -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
- -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
auditd_filter_rules_extra
Default value
auditd_filter_rules_extra: []
Example usage
auditd_filter_rules_extra:
- comment: Ignore current working directory records # defaults to not set
rule: '-a always,exclude -F msgtype=CWD' # can be list or string
state: present # defaults to present
auditd_main_rules_default
Default value
auditd_main_rules_default:
- comment: CIS 4.1.4 - Changes to the time
rule:
- -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
- -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
- -a always,exit -F arch=b64 -S clock_settime -k time-change
- -a always,exit -F arch=b32 -S clock_settime -k time-change
- -w /etc/localtime -p wa -k time-change
- comment: CIS 4.1.5 - Changes to user/group information
rule:
- -w /etc/group -p wa -k identity
- -w /etc/passwd -p wa -k identity
- -w /etc/gshadow -p wa -k identity
- -w /etc/shadow -p wa -k identity
- -w /etc/security/opasswd -p wa -k identity
- comment: CIS 4.1.6 - Changes to the network environment
rule:
- -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
- -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
- -w /etc/issue -p wa -k system-locale
- -w /etc/issue.net -p wa -k system-locale
- -w /etc/hosts -p wa -k system-locale
- -w /etc/network -p wa -k system-locale
- comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls
rule:
- -w /etc/apparmor/ -p wa -k MAC-policy
- -w /etc/apparmor.d/ -p wa -k MAC-policy
- comment: CIS 4.1.8 - Log login/logout events
rule:
- -w /var/log/faillog -p wa -k logins
- -w /var/log/lastlog -p wa -k logins
- -w /var/log/tallylog -p wa -k logins
- comment: CIS 4.1.9 - Log session initiation information
rule:
- -w /var/run/utmp -p wa -k session
- -w /var/log/wtmp -p wa -k logins
- -w /var/log/btmp -p wa -k logins
- comment: CIS 4.1.10 - Log Discretionary Access Control modifications
rule:
- -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
- comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts
rule:
- -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
- -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
- comment: CIS 4.1.13 - Log successful file system mounts
rule:
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
- comment: CIS 4.1.14 - Log file deletion Events by User
rule:
- -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
- -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
- comment: CIS 4.1.15 - Log changes to sudoers
rule:
- -w /etc/sudoers -p wa -k scope
- -w /etc/sudoers.d/ -p wa -k scope
- comment: CIS 4.1.16 - Log sudolog
rule:
- -w /var/log/sudo.log -p wa -k actions
- comment: CIS 4.1.17 - Log kernel module actions
rule:
- -w /sbin/insmod -p x -k modules
- -w /sbin/rmmod -p x -k modules
- -w /sbin/modprobe -p x -k modules
- -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
auditd_main_rules_extra
Default value
auditd_main_rules_extra: []
auditd_max_log_file
Maximum size of a single logfile (MB)
Default value
auditd_max_log_file: 10
auditd_max_log_file_action
Default value
auditd_max_log_file_action: ROTATE
auditd_num_logs
Number of logs to keep
Default value
auditd_num_logs: 5
auditd_optional_rules_default
Default value
auditd_optional_rules_default: []
auditd_optional_rules_extra
Default value
auditd_optional_rules_extra: []
auditd_refuse_manual_stop
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
Default value
auditd_refuse_manual_stop: true
auditd_space_left_action
Default value
auditd_space_left_action: SYSLOG
Dependencies
None.