Galaxy
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Documentation
  2. /
  3. Roles
  4. /
  5. Security
  6. /
  7. auditd

auditd

Source Code Build Status License: MIT

Setup the Linux Auditing System.

Default Variables

auditd_action_mail_acct

Default value 

auditd_action_mail_acct: root

auditd_admin_space_left_action

Default value 

auditd_admin_space_left_action: halt

auditd_buffer_size

Default value 

auditd_buffer_size: 8192

auditd_config_immutable

The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.

Default value 

auditd_config_immutable: false

auditd_exclude_rule_stages

There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize

Default value 

auditd_exclude_rule_stages: []

Example usage 

auditd_exclude_rule_stages:
  - 10-start.rules
  - 90-finalize

auditd_failure_mode

Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)

Default value 

auditd_failure_mode: 1

auditd_filter_rules_default

Default value 

auditd_filter_rules_default:
  - comment: Ignore current working directory records
    rule: -a always,exclude -F msgtype=CWD
  - comment: Ignore EOE records (End Of Event, not needed)
    rule: -a always,exclude -F msgtype=EOE
  - comment: Cron jobs fill the logs with stuff we normally don't want
    rule:
      - -a never,user -F subj_type=crond_t
      - -a exit,never -F subj_type=crond_t
  - comment: This is not very interesting and wastes a lot of space if the server
      is public facing
    rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
  - comment: High Volume Event Filter
    rule:
      - -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
      - -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
      - -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
      - -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm

auditd_filter_rules_extra

Default value 

auditd_filter_rules_extra: []

Example usage 

auditd_filter_rules_extra:
  - comment: Ignore current working directory records # defaults to not set
    rule: '-a always,exclude -F msgtype=CWD' # can be list or string
    state: present # defaults to present

auditd_main_rules_default

Default value 

auditd_main_rules_default:
  - comment: CIS 4.1.3.1 - Changes to system administration scope
    rule:
      - -w /etc/sudoers -p wa -k actions
      - -w /etc/sudoers.d/ -p wa -k actions
  - comment: CIS 4.1.3.4 - Events that modify date and time information
    rule:
      - -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
      - -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k
        time_change
      - -w /etc/localtime -p wa -k time-change
  - comment: CIS 4.1.3.5 - Changes to the network environment
    rule:
      - -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
      - -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
      - -w /etc/issue -p wa -k system-locale
      - -w /etc/issue.net -p wa -k system-locale
      - -w /etc/hosts -p wa -k system-locale
      - -w /etc/sysconfig/network -p wa -k system-locale
      - -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
  - comment: CIS 4.1.3.7 - Unsuccessful file access attempts
    rule:
      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
        -F auid>=1000 -F auid!=unset -k access
  - comment: CIS 4.1.3.8 - Modify user/group information
    rule:
      - -w /etc/group -p wa -k identity
      - -w /etc/passwd -p wa -k identity
      - -w /etc/gshadow -p wa -k identity
      - -w /etc/shadow -p wa -k identity
      - -w /etc/security/opasswd -p wa -k identity
  - comment: CIS 4.1.3.9 - Discretionary access control permission modifications
    rule:
      - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
        -F key=perm_mod
      - -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
        auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
        -F key=perm_mod
      - -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
        auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
        -F auid>=1000 -F auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
        -F auid>=1000 -F auid!=unset -F key=perm_mod
  - comment: CIS 4.1.3.10 - Successful file system mounts
    rule:
      - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
      - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
  - comment: CIS 4.1.3.11 - Session initiation information
    rule:
      - -w /var/run/utmp -p wa -k session
      - -w /var/log/wtmp -p wa -k logins
      - -w /var/log/btmp -p wa -k logins
  - comment: CIS 4.1.3.12 - Login and logout events
    rule:
      - -w /var/log/lastlog -p wa -k logins
      - -w /var/log/tallylog -p wa -k logins
      - -w /var/run/faillock -p wa -k logins
  - comment: CIS 4.1.3.13 - File deletion events by users
    rule:
      - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000
        -F auid!=unset -k delete
      - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000
        -F auid!=unset -k delete
  - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
    rule:
      - -w /etc/selinux/ -p wa -k MAC-policy
      - -w /usr/share/selinux/ -p wa -k MAC-policy
  - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
    rule:
      - -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000
        -F auid!=unset -k kernel_modules
      - -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000
        -F auid!=unset -k kernel_modules
      - -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
      - -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules
      - -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
        -k kernel_modules

auditd_main_rules_extra

Default value 

auditd_main_rules_extra: []

auditd_max_log_file

Maximum size of a single logfile (MB)

Default value 

auditd_max_log_file: 10

auditd_max_log_file_action

Default value 

auditd_max_log_file_action: rotate

auditd_num_logs

Number of logs to keep

Default value 

auditd_num_logs: 5

auditd_optional_rules_default

Default value 

auditd_optional_rules_default: []

auditd_optional_rules_extra

Default value 

auditd_optional_rules_extra: []

auditd_reboot_on_change

Default value 

auditd_reboot_on_change: false

auditd_refuse_manual_stop

This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.

Default value 

auditd_refuse_manual_stop: true

auditd_space_left_action

Default value 

auditd_space_left_action: email

Dependencies

None.