├── .delivery └── project.toml ├── .editorconfig ├── .gitattributes ├── .github ├── CODEOWNERS └── workflows │ ├── branchcleanup.yml │ └── delivery.yml ├── .gitignore ├── .travis.yml ├── .vscode └── extensions.json ├── Berksfile ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Gemfile ├── LICENSE ├── README.md ├── TESTING.md ├── attributes └── default.rb ├── chefignore ├── kitchen.dokken.yml ├── kitchen.yml ├── libraries └── auditd_helper.rb ├── metadata.rb ├── recipes ├── conf.rb ├── default.rb ├── remove.rb └── rules.rb ├── resources ├── builtins.rb ├── conf_file.rb └── ruleset.rb ├── spec └── .gitkeep ├── templates ├── capp.rules.erb ├── cis.auditd.conf.erb ├── cis.rules.erb ├── default.rules.erb ├── lspp.rules.erb ├── nispom.rules.erb └── stig.rules.erb └── test └── integration ├── capp └── run_spec.rb ├── cis └── run_spec.rb ├── default └── run_spec.rb └── stig └── run_spec.rb /.delivery/project.toml: -------------------------------------------------------------------------------- 1 | remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml" 2 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root=true 5 | 6 | # Unix-style newlines with a newline ending every file 7 | [*] 8 | end_of_line = lf 9 | insert_final_newline = true 10 | 11 | # 2 space indentation 12 | indent_style = space 13 | indent_size = 2 14 | 15 | # Avoid issues parsing cookbook files later 16 | charset = utf-8 17 | 18 | # Avoid cookstyle warnings 19 | trim_trailing_whitespace = true 20 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @chef-cookbooks/cookbook_engineering_team 2 | -------------------------------------------------------------------------------- /.github/workflows/branchcleanup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Branch Cleanup 3 | # This workflow is triggered on all closed pull requests. 4 | # However the script does not do anything if a merge was not performed. 5 | "on": 6 | pull_request: 7 | types: [closed] 8 | 9 | env: 10 | NO_BRANCH_DELETED_EXIT_CODE: 0 11 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 12 | 13 | jobs: 14 | build: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: jessfraz/branch-cleanup-action@master 18 | -------------------------------------------------------------------------------- /.github/workflows/delivery.yml: -------------------------------------------------------------------------------- 1 | name: delivery 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | delivery: 7 | 8 | runs-on: ubuntu-latest 9 | 10 | steps: 11 | - name: Check out code 12 | uses: actions/checkout@master 13 | - name: Run Chef Delivery 14 | uses: actionshub/chef-delivery@master 15 | env: 16 | CHEF_LICENSE: accept-no-persist -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.rbc 2 | .config 3 | InstalledFiles 4 | lib/bundler/man 5 | pkg 6 | test/tmp 7 | test/version_tmp 8 | tmp 9 | _Store 10 | *~ 11 | *# 12 | .#* 13 | \#*# 14 | *.un~ 15 | *.tmp 16 | *.bk 17 | *.bkup 18 | 19 | # editor temp files 20 | .idea 21 | .*.sw[a-z] 22 | 23 | # ruby/bundler files 24 | .ruby-version 25 | .ruby-gemset 26 | .rvmrc 27 | Gemfile.lock 28 | .bundle 29 | *.gem 30 | coverage 31 | spec/reports 32 | 33 | # YARD / rdoc artifacts 34 | .yardoc 35 | _yardoc 36 | doc/ 37 | rdoc 38 | 39 | # chef infra stuff 40 | Berksfile.lock 41 | .kitchen 42 | kitchen.local.yml 43 | vendor/ 44 | .coverage/ 45 | .zero-knife.rb 46 | Policyfile.lock.json 47 | 48 | # vagrant stuff 49 | .vagrant/ 50 | .vagrant.d/ 51 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | addons: 2 | apt: 3 | sources: 4 | - chef-current-xenial 5 | packages: 6 | - chef-workstation 7 | 8 | install: echo "skip bundle install" 9 | 10 | env: 11 | - CHEF_LICENSE=accept 12 | 13 | branches: 14 | only: 15 | - master 16 | 17 | services: docker 18 | 19 | env: 20 | matrix: 21 | - INSTANCE=default-ubuntu-1604 22 | - INSTANCE=default-ubuntu-1804 23 | 24 | before_script: 25 | - sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER ) 26 | - eval "$(chef shell-init bash)" 27 | - chef --version 28 | 29 | script: KITCHEN_LOCAL_YAML=kitchen.dokken.yml kitchen verify ${INSTANCE} 30 | 31 | matrix: 32 | include: 33 | - script: 34 | - delivery local all 35 | env: 36 | - UNIT_AND_LINT=1 37 | - CHEF_LICENSE=accept 38 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "chef-software.chef", 4 | "rebornix.ruby", 5 | "editorconfig.editorconfig" 6 | ] 7 | } -------------------------------------------------------------------------------- /Berksfile: -------------------------------------------------------------------------------- 1 | source 'https://supermarket.chef.io' 2 | 3 | metadata 4 | 5 | group :integration do 6 | cookbook 'apt' 7 | end 8 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG for auditd 2 | 3 | This file is used to list changes made in each version of auditd. 4 | 5 | ## Unreleased 6 | 7 | - resolved cookstyle error: attributes/default.rb:1:1 convention: `Style/Encoding` 8 | - resolved cookstyle error: libraries/auditd_helper.rb:1:1 convention: `Style/Encoding` 9 | - resolved cookstyle error: test/integration/capp/run_spec.rb:1:1 convention: `Style/Encoding` 10 | - resolved cookstyle error: test/integration/cis/run_spec.rb:1:1 convention: `Style/Encoding` 11 | - resolved cookstyle error: test/integration/default/run_spec.rb:1:1 convention: `Style/Encoding` 12 | - resolved cookstyle error: test/integration/stig/run_spec.rb:1:1 convention: `Style/Encoding` 13 | 14 | ## 2.4.0 (2020-03-06) 15 | 16 | - Fix RHEL support - [@bdwyertech](https://github.com/bdwyertech) 17 | - added logic to check for rhel platform_version greater than or equal to 7.5 and modify auditd restart command accordingly - [@danielcbright](https://github.com/danielcbright) 18 | - Cookstyle fixes - [@tas50](https://github.com/tas50) 19 | - Simplify platform check logic - [@tas50](https://github.com/tas50) 20 | - Require Chef 12.15+ instead of 12.7+ - [@tas50](https://github.com/tas50) 21 | 22 | ## 2.3.4 (2018-11-8) 23 | 24 | - Add CIS-rules kitchen suite 25 | - Update CIS rules to match RHEL/CentOS 7 v2.2.0 benchmarks 26 | - Add resource to implement CIS defined auditd conf 27 | - CIS related remediation will only run if "node['auditd']['ruleset']" is set to CIS 28 | 29 | ## 2.3.3 (2018-07-17) 30 | 31 | - Fix ~= typo in CIS rules 32 | 33 | ## 2.3.2 (2018-07-16) 34 | 35 | - Fix support for Debian 9+ / Ubuntu 18.04+ 36 | - Remove Chef 11/early 12 compatibility in metadata 37 | - Handle CIS 4.1.14 differing on CentOS/RHEL 6 38 | 39 | ## 2.3.1 (2018-07-11) 40 | 41 | - Missing -F flag was causing entire list to fail to load. 42 | - Controls that previously had auid>=500 now require auid>=1000 in current CIS benchmarks. 43 | - Updated the audit rules for 4.1.8 to match the current CIS benchmark. 44 | 45 | ## 2.3.0 (2018-07-10) 46 | 47 | - Remove ChefSpec matchers which are auto generated by ChefSpec now 48 | - Update CIS rules for RHEL/CentOS 7 v2.2.0 benchmarks 49 | 50 | ## 2.2.0 (2017-11-14) 51 | 52 | - Resolve FC108 warnings 53 | - Allow specifying the cookbook where the template is in the builtins resource 54 | - Require Chef 12.7+ due to bugs in 12.5/12.6 custom resources 55 | 56 | ## 2.1.1 (2017-07-13) 57 | 58 | - Install "audit" package for Amazon Linux on Chef 13 59 | 60 | ## 2.1.0 (2017-05-03) 61 | 62 | - Add support for RHEL 7 63 | 64 | ## 2.0.0 (2017-04-26) 65 | 66 | - Convert the existing LWRPs to custom resources, which raises the requires chef version to 12.5+ 67 | - Expand testing to cover the custom resources 68 | - Let Chef can determine the proper restart command instead of hardcoding logic into the recipe 69 | - Test with local delivery and not Rake 70 | - Update apache2 license string 71 | - Update copyrights 72 | 73 | ## 1.0.2 (2017-01-18) 74 | 75 | - Add ChefSpec matchers 76 | 77 | ## 1.0.1 (2016-11-25) 78 | 79 | - Enable use_inline_resources in the LWRPs 80 | - Run integration testing in Travis 81 | 82 | ## 1.0.0 (2016-09-08) 83 | 84 | - Testing updates 85 | - Require Chef 12.0 or later 86 | 87 | ## 0.2.0 (2016-08-11) 88 | 89 | - Add uninstall/remove support 90 | - Update docs with testing and contributing process 91 | - Use Berkshelf not Librarian for dependency management 92 | - Add a travis config 93 | - Add a license file 94 | - Update the testing to use Rake and remove test deps from the Gemfile. We assume you're in ChefDK now 95 | - Update the cookbook owner and add chef_version metadata 96 | - Use the new notification syntax in templates 97 | - Cookstyle fixes to the code 98 | - Remove the utf encoding comments. There's no need for this 99 | - Remove Chef 10 compatibility 100 | 101 | ## 0.1.8: 102 | 103 | - add coc and contributing documents 104 | - update gitignore list for some chef related files 105 | - update supermarket uri 106 | - use correct restart command when under systemd on rhel 107 | - better rule definition support for rhel systems that no longer ship with examples 108 | - add test suite for capp rules 109 | 110 | ## 0.1.2: 111 | 112 | - excluded non-default rulesets for RedHat; they use a version-specific path that I can't find any easy way to determine programatically 113 | 114 | ## 0.1.1: 115 | 116 | - added RedHat support 117 | 118 | ## 0.1.0: 119 | 120 | - Initial release of auditd 121 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | Please refer to the Chef Community Code of Conduct at 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Please refer to 2 | https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD 3 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # This gemfile provides additional gems for testing and releasing this cookbook 2 | # It is meant to be installed on top of ChefDK / Chef Workstation which provide the majority 3 | # of the necessary gems for testing this cookbook 4 | # 5 | # Run 'chef exec bundle install' to install these dependencies 6 | 7 | source 'https://rubygems.org' 8 | 9 | gem 'community_cookbook_releaser' 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # auditd Cookbook 2 | 3 | [![Build Status](https://travis-ci.org/chef-cookbooks/auditd.svg?branch=master)](http://travis-ci.org/chef-cookbooks/auditd) 4 | [![Cookbook Version](https://img.shields.io/cookbook/v/auditd.svg)](https://supermarket.chef.io/cookbooks/auditd) 5 | 6 | A simple cookbook to install auditd and provided rulesets. Rulesets included in the OS auditd/audit package as examples are based on 4 established standards: 7 | 8 | - [Controlled Access Protection Profile (CAPP)](http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf) 9 | - [Labeled Security Protection Profile (LSPP)](http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf) 10 | - [National Industrial Security Program Operating Manual (NISPOM)](http://www.fas.org/sgp/library/nispom.htm) 11 | - [Security Technical Implementation Guides](http://iase.disa.mil/stigs/stig/index.html) 12 | 13 | The OS package provides the client side tools for working with the linux kernel audit framework. 14 | 15 | ## Requirements 16 | 17 | ### Platforms 18 | 19 | - Debian/Ubuntu 20 | - RHEL/CentOS/Scientific/Amazon/Oracle 6+ 21 | 22 | ### Chef 23 | 24 | - Chef 12.7+ 25 | 26 | ### Cookbooks 27 | 28 | - none 29 | 30 | ## Attributes 31 | 32 | - node['auditd']['ruleset'] - ruleset to use, either "default" (the default if unset) or one of the provided examples 33 | - node['auditd']['backlog'] - backlog size, default is 320 should be larger for busy systems 34 | 35 | # Usage 36 | 37 | If you're using one of the default rulesets set the correct attribute based on the ruleset desired, one of: 38 | 39 | - "capp" : Controlled Access Protection Profile 40 | - "lspp" : Labeled Security Protection Profile 41 | - "nispom" : National Industrial Security Program Operating Manual (NISPOM) 42 | - "stig" : Security Technical Implementation Guides 43 | - "cis" : Center for Internet Security auditd recommendations 44 | 45 | And include `recipe[auditd::rules]` in your run list. You can also set the attribute `node['auditd']['ruleset']` to the name of a custom rule template to be used instead of one of the default rules. 46 | 47 | If you are using the recipe from a wrapper cookbook, include the default recipe `recipe[auditd]` to setup the service and use the `auditd_ruleset` resource to place your rule template of choice. 48 | 49 | If you are not satisfied with any of the provided templates, you can specify the `cookbook` attribute in `auditd_ruleset` to use your own set of rules. In this case, do not include `recipe[auditd::rules]`. 50 | 51 | Use the `auditd::remove` recipe to uninstall auditd. 52 | 53 | ## License & Authors 54 | 55 | **Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io)) 56 | 57 | **Copyright:** 2016, Chef Software, Inc. 58 | 59 | ``` 60 | Licensed under the Apache License, Version 2.0 (the "License"); 61 | you may not use this file except in compliance with the License. 62 | You may obtain a copy of the License at 63 | 64 | http://www.apache.org/licenses/LICENSE-2.0 65 | 66 | Unless required by applicable law or agreed to in writing, software 67 | distributed under the License is distributed on an "AS IS" BASIS, 68 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 69 | See the License for the specific language governing permissions and 70 | limitations under the License. -------------------------------------------------------------------------------- /TESTING.md: -------------------------------------------------------------------------------- 1 | Please refer to 2 | 3 | -------------------------------------------------------------------------------- /attributes/default.rb: -------------------------------------------------------------------------------- 1 | # Cookbook:: auditd 2 | # 3 | # Copyright:: 2012-2017, Heavy Water Operations, LLC. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | default['auditd']['ruleset'] = 'default.rules' 19 | default['auditd']['backlog'] = 320 20 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file when uploading 2 | # to a Chef Infra Server or Supermarket. 3 | # Lines that start with '# ' are comments. 4 | 5 | # OS generated files # 6 | ###################### 7 | .DS_Store 8 | ehthumbs.db 9 | Icon? 10 | nohup.out 11 | Thumbs.db 12 | .envrc 13 | 14 | # EDITORS # 15 | ########### 16 | .#* 17 | .project 18 | .settings 19 | *_flymake 20 | *_flymake.* 21 | *.bak 22 | *.sw[a-z] 23 | *.tmproj 24 | *~ 25 | \#* 26 | REVISION 27 | TAGS* 28 | tmtags 29 | .vscode 30 | .editorconfig 31 | 32 | ## COMPILED ## 33 | ############## 34 | *.class 35 | *.com 36 | *.dll 37 | *.exe 38 | *.o 39 | *.pyc 40 | *.so 41 | */rdoc/ 42 | a.out 43 | mkmf.log 44 | 45 | # Testing # 46 | ########### 47 | .circleci/* 48 | .codeclimate.yml 49 | .delivery/* 50 | .foodcritic 51 | .kitchen* 52 | .mdlrc 53 | .overcommit.yml 54 | .rspec 55 | .rubocop.yml 56 | .travis.yml 57 | .watchr 58 | .yamllint 59 | azure-pipelines.yml 60 | Dangerfile 61 | examples/* 62 | features/* 63 | Guardfile 64 | kitchen.yml* 65 | mlc_config.json 66 | Procfile 67 | Rakefile 68 | spec/* 69 | test/* 70 | 71 | # SCM # 72 | ####### 73 | .git 74 | .gitattributes 75 | .gitconfig 76 | .github/* 77 | .gitignore 78 | .gitkeep 79 | .gitmodules 80 | .svn 81 | */.bzr/* 82 | */.git 83 | */.hg/* 84 | */.svn/* 85 | 86 | # Berkshelf # 87 | ############# 88 | Berksfile 89 | Berksfile.lock 90 | cookbooks/* 91 | tmp 92 | 93 | # Bundler # 94 | ########### 95 | vendor/* 96 | Gemfile 97 | Gemfile.lock 98 | 99 | # Policyfile # 100 | ############## 101 | Policyfile.rb 102 | Policyfile.lock.json 103 | 104 | # Documentation # 105 | ############# 106 | CODE_OF_CONDUCT* 107 | CONTRIBUTING* 108 | documentation/* 109 | TESTING* 110 | UPGRADING* 111 | 112 | # Vagrant # 113 | ########### 114 | .vagrant 115 | Vagrantfile 116 | -------------------------------------------------------------------------------- /kitchen.dokken.yml: -------------------------------------------------------------------------------- 1 | driver: 2 | name: dokken 3 | privileged: true # because Docker and SystemD/Upstart 4 | chef_version: <%= ENV['CHEF_VERSION'] || 'current' %> 5 | chef_license: accept-no-persist 6 | 7 | transport: 8 | name: dokken 9 | 10 | provisioner: 11 | name: dokken 12 | deprecations_as_errors: true 13 | 14 | verifier: 15 | name: inspec 16 | 17 | platforms: 18 | - name: amazonlinux 19 | driver: 20 | image: dokken/amazonlinux 21 | pid_one_command: /sbin/init 22 | 23 | - name: amazonlinux-2 24 | driver: 25 | image: dokken/amazonlinux-2 26 | pid_one_command: /usr/lib/systemd/systemd 27 | 28 | - name: debian-9 29 | driver: 30 | image: dokken/debian-9 31 | pid_one_command: /bin/systemd 32 | intermediate_instructions: 33 | - RUN /usr/bin/apt-get update 34 | - RUN /usr/bin/apt-get install sudo cron -y 35 | 36 | - name: debian-10 37 | driver: 38 | image: dokken/debian-10 39 | pid_one_command: /bin/systemd 40 | intermediate_instructions: 41 | - RUN /usr/bin/apt-get update 42 | - RUN /usr/bin/apt-get install sudo cron -y 43 | 44 | - name: centos-6 45 | driver: 46 | image: dokken/centos-6 47 | pid_one_command: /sbin/init 48 | 49 | - name: centos-7 50 | driver: 51 | image: dokken/centos-7 52 | pid_one_command: /usr/lib/systemd/systemd 53 | 54 | - name: centos-8 55 | driver: 56 | image: dokken/centos-8 57 | pid_one_command: /usr/lib/systemd/systemd 58 | 59 | - name: fedora-latest 60 | driver: 61 | image: dokken/fedora-latest 62 | pid_one_command: /usr/lib/systemd/systemd 63 | 64 | - name: ubuntu-16.04 65 | driver: 66 | image: dokken/ubuntu-16.04 67 | pid_one_command: /bin/systemd 68 | intermediate_instructions: 69 | - RUN /usr/bin/apt-get update 70 | - RUN /usr/bin/apt-get install sudo cron -y 71 | 72 | - name: ubuntu-18.04 73 | driver: 74 | image: dokken/ubuntu-18.04 75 | pid_one_command: /bin/systemd 76 | intermediate_instructions: 77 | - RUN /usr/bin/apt-get update 78 | - RUN /usr/bin/apt-get install sudo cron -y 79 | 80 | - name: opensuse-leap-15 81 | driver: 82 | image: dokken/opensuse-leap-15 83 | pid_one_command: /bin/systemd 84 | -------------------------------------------------------------------------------- /kitchen.yml: -------------------------------------------------------------------------------- 1 | driver: 2 | name: vagrant 3 | 4 | provisioner: 5 | name: chef_zero 6 | deprecations_as_errors: true 7 | chef_license: accept-no-persist 8 | 9 | verifier: 10 | name: inspec 11 | 12 | platforms: 13 | - name: amazonlinux 14 | driver_config: 15 | box: mvbcoding/awslinux 16 | - name: amazonlinux-2 17 | - name: centos-6 18 | - name: centos-7 19 | - name: centos-8 20 | - name: debian-9 21 | run_list: apt::default 22 | - name: debian-10 23 | run_list: apt::default 24 | - name: debian-10 25 | run_list: apt::default 26 | - name: fedora-latest 27 | - name: ubuntu-16.04 28 | run_list: apt::default 29 | - name: ubuntu-18.04 30 | run_list: apt::default 31 | 32 | suites: 33 | - name: default 34 | run_list: 35 | - recipe[auditd::rules] 36 | verifier: 37 | inspec_tests: 38 | - test/integration/default 39 | 40 | - name: stig-rules 41 | run_list: 42 | - recipe[auditd::rules] 43 | attributes: 44 | auditd: 45 | ruleset: "stig" 46 | verifier: 47 | inspec_tests: 48 | - test/integration/stig 49 | 50 | - name: capp-rules 51 | run_list: 52 | - recipe[auditd::rules] 53 | attributes: 54 | auditd: 55 | ruleset: "capp" 56 | verifier: 57 | inspec_tests: 58 | - test/integration/capp 59 | 60 | - name: cis-rules 61 | run_list: 62 | - recipe[auditd::rules] 63 | - recipe[auditd::conf] 64 | attributes: 65 | auditd: 66 | ruleset: "cis" 67 | verifier: 68 | inspec_tests: 69 | - test/integration/cis 70 | -------------------------------------------------------------------------------- /libraries/auditd_helper.rb: -------------------------------------------------------------------------------- 1 | # Cookbook:: auditd 2 | # 3 | # Copyright:: 2016-2017, PagerDuty 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | module AuditD 18 | module Helper 19 | def auditd_package_name_for(platform_family) 20 | case platform_family 21 | when 'rhel', 'fedora', 'amazon' 22 | 'audit' 23 | else 24 | 'auditd' 25 | end 26 | end 27 | 28 | def auditd_rulefile(ruleset = 'audit.rules') 29 | if platform_family?('rhel') && node['platform_version'].to_i >= 7 || platform?('ubuntu') && node['platform_version'].to_f >= 18.04 || platform?('debian') && node['platform_version'].to_i >= 9 30 | ::File.join('/etc/audit/rules.d/', ruleset) 31 | else 32 | '/etc/audit/audit.rules' 33 | end 34 | end 35 | end 36 | end 37 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'auditd' 2 | maintainer 'Chef Software, Inc.' 3 | maintainer_email 'cookbooks@chef.io' 4 | license 'Apache-2.0' 5 | description 'Installs/Configures auditd' 6 | version '2.4.0' 7 | 8 | %w(redhat ubuntu fedora centos scientific oracle).each do |os| 9 | supports os 10 | end 11 | 12 | source_url 'https://github.com/chef-cookbooks/auditd' 13 | issues_url 'https://github.com/chef-cookbooks/auditd/issues' 14 | chef_version '>= 12.15' 15 | -------------------------------------------------------------------------------- /recipes/conf.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Recipe:: default 4 | 5 | include_recipe 'auditd::default' 6 | 7 | # Case used to give extensibility for the future 8 | case node['auditd']['ruleset'] 9 | when 'cis' 10 | auditd_conf_file 'cis.auditd' 11 | end 12 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Recipe:: default 4 | # 5 | # Copyright:: 2012-2017, Heavy Water Operations, LLC. 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | extend AuditD::Helper 21 | 22 | package auditd_package_name_for(node['platform_family']) 23 | 24 | # There is a specific issue with RHEL7 (https://bugzilla.redhat.com/show_bug.cgi?id=1647521) where 25 | # auditd fails to stop/start/restart/reload using systemctl. This logic will set the correct reload 26 | # and restart actions for this recipe when it detects you are using RHEL7.x 27 | service 'auditd' do 28 | if platform_family?('rhel') && node['init_package'] == 'systemd' && node['platform_version'] < '7.5' 29 | reload_command '/usr/libexec/initscripts/legacy-actions/auditd/reload' 30 | restart_command '/usr/libexec/initscripts/legacy-actions/auditd/restart' 31 | end 32 | if platform_family?('rhel') && node['init_package'] == 'systemd' && node['platform_version'] >= '7.5' 33 | reload_command '/usr/sbin/service auditd reload' 34 | restart_command '/usr/sbin/service auditd restart' 35 | end 36 | supports [:start, :stop, :restart, :reload, :status] 37 | action :enable 38 | end 39 | -------------------------------------------------------------------------------- /recipes/remove.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Recipe:: remove 4 | # 5 | # Copyright:: 2016-2017, PagerDuty 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | extend AuditD::Helper 21 | 22 | service 'auditd' do 23 | supports [:restart, :reload, :status] 24 | action [:disable, :stop] 25 | end 26 | 27 | package auditd_package_name_for(node['platform_family']) do 28 | action :remove 29 | end 30 | -------------------------------------------------------------------------------- /recipes/rules.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Recipe:: default 4 | # 5 | # Copyright:: 2012-2017, Heavy Water Operations, LLC. 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | include_recipe 'auditd::default' 21 | 22 | case node['auditd']['ruleset'] 23 | when 'capp' 24 | auditd_builtins 'capp' 25 | when 'lspp' 26 | auditd_builtins 'lspp' 27 | when 'nispom' 28 | auditd_builtins 'nispom' 29 | when 'stig' 30 | auditd_builtins 'stig' 31 | when 'cis' 32 | auditd_ruleset 'cis.rules' 33 | else 34 | auditd_ruleset node['auditd']['ruleset'] 35 | end 36 | -------------------------------------------------------------------------------- /resources/builtins.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Resource:: auditd_builtins 4 | # 5 | # Copyright:: 2012-2017, Heavy Water Operations, LLC. 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | property :cookbook, String 21 | 22 | action :create do 23 | extend AuditD::Helper 24 | 25 | if platform_family?('rhel', 'fedora') 26 | # auditd_version = `/sbin/aureport -v`.split(' ').last 27 | 28 | template auditd_rulefile do 29 | source "#{new_resource.name}.rules.erb" 30 | cookbook new_resource.cookbook if new_resource.cookbook 31 | notifies :restart, 'service[auditd]' 32 | end 33 | else 34 | execute "installing ruleset #{new_resource.name}" do 35 | command "zcat /usr/share/doc/auditd/examples/#{new_resource.name}.rules.gz > /etc/audit/audit.rules" 36 | notifies :restart, 'service[auditd]' 37 | end 38 | end 39 | end 40 | -------------------------------------------------------------------------------- /resources/conf_file.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Resource:: auditd_conf_file 4 | # 5 | # Copyright:: 2018-2019, Chef Software, Inc. 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | property :cookbook, String 21 | 22 | action :create do 23 | template '/etc/audit/auditd.conf' do 24 | source "#{new_resource.name}.conf.erb" 25 | cookbook new_resource.cookbook if new_resource.cookbook 26 | notifies :reload, 'service[auditd]' 27 | end 28 | end 29 | -------------------------------------------------------------------------------- /resources/ruleset.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: auditd 3 | # Resource:: auditd_ruleset 4 | # 5 | # Copyright:: 2012-2017, Heavy Water Operations, LLC. 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | property :cookbook, String 21 | 22 | action :create do 23 | extend AuditD::Helper 24 | 25 | template auditd_rulefile(new_resource.name) do 26 | source "#{new_resource.name}.erb" 27 | cookbook new_resource.cookbook if new_resource.cookbook 28 | notifies :restart, 'service[auditd]', :immediately 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /spec/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chef-cookbooks/auditd/29bb0dcabb19e7dfe012e0e09c82832120db9df1/spec/.gitkeep -------------------------------------------------------------------------------- /templates/capp.rules.erb: -------------------------------------------------------------------------------- 1 | ## 2 | ## This file contains a sample audit configuration. Combined with the 3 | ## system events that are audited by default, this set of rules causes 4 | ## audit to generate records for the auditable events specified by the 5 | ## Controlled Access Protection Profile (CAPP). 6 | ## 7 | ## It should be noted that this set of rules identifies directories by 8 | ## leaving a / at the end of the path. 9 | ## 10 | ## For audit 2.0.6 and higher 11 | ## 12 | 13 | ## Remove any existing rules 14 | -D 15 | 16 | ## Increase buffer size to handle the increased number of messages. 17 | ## Feel free to increase this if the machine panic's 18 | -b 8192 19 | 20 | ## Set failure mode to panic 21 | -f 2 22 | 23 | ## 24 | ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 25 | ## successful and unsuccessful attempts to read information from the 26 | ## audit records; all modifications to the audit trail 27 | ## 28 | -w /var/log/audit/ -k LOG_audit 29 | 30 | ## 31 | ## FAU_SEL.1, FMT_MTD.1 32 | ## modifications to audit configuration that occur while the audit 33 | ## collection functions are operating; all modications to the set of 34 | ## audited events 35 | ## 36 | -w /etc/audit/ -p wa -k CFG_audit 37 | -w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf 38 | -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf 39 | -w /etc/audisp/ -p wa -k CFG_audisp 40 | 41 | ## 42 | ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 43 | ## all requests to perform an operation on an object covered by the 44 | ## SFP; all modifications of the values of security attributes; 45 | ## modifications to TSF data; attempts to revoke security attributes 46 | ## 47 | 48 | ## Objects covered by the Security Functional Policy (SFP) are: 49 | ## -File system objects (files, directories, special files, extended attributes) 50 | ## -IPC objects (SYSV shared memory, message queues, and semaphores) 51 | 52 | ## Operations on file system objects - by default, only monitor 53 | ## files and directories covered by filesystem watches. 54 | 55 | ## Changes in ownership and permissions 56 | #-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat 57 | #-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat 58 | #-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown 59 | #-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown 60 | ## Enable *32 rules if you are running on i386 or s390 61 | ## Do not use for x86_64, ia64, ppc, ppc64, or s390x 62 | #-a always,exit -F arch=b32 -S fchown32 -S chown32 -S lchown32 63 | 64 | ## File content modification. Permissions are checked at open time, 65 | ## monitoring individual read/write calls is not useful. 66 | #-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate 67 | #-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate 68 | ## Enable *64 rules if you are running on i386, ppc, ppc64, s390 69 | ## Do not use for x86_64, ia64, or s390x 70 | #-a always,exit -F arch=b32 -S truncate64 -S ftruncate64 71 | 72 | ## directory operations 73 | #-a always,exit -F arch=b32 -S mkdir -S mkdirat -S rmdir 74 | #-a always,exit -F arch=b64 -S mkdir -S mkdirat -S rmdir 75 | 76 | ## moving, removing, and linking 77 | #-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat 78 | #-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat 79 | #-a always,exit -F arch=b32 -S link -S linkat -S symlink -S symlinkat 80 | #-a always,exit -F arch=b64 -S link -S linkat -S symlink -S symlinkat 81 | 82 | ## Extended attribute operations 83 | ## Enable if you are interested in these events 84 | #-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr 85 | #-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr 86 | 87 | ## special files 88 | -a always,exit -F arch=b32 -S mknod -S mknodat 89 | -a always,exit -F arch=b64 -S mknod -S mknodat 90 | 91 | ## Other file system operations 92 | ## Enable if i386 93 | -a always,exit -F arch=b32 -S mount -S umount -S umount2 94 | ## Enable if ppc, s390, or s390x 95 | #-a always,exit -F arch=b32 -S mount -S umount -S umount2 96 | #-a always,exit -F arch=b64 -S mount -S umount -S umount2 97 | ## Enable if ia64 98 | #-a always,exit -F arch=b64 -S mount -S umount 99 | ## Enable if x86_64 100 | #-a always,exit -F arch=b64 -S mount -S umount2 101 | #-a always,exit -F arch=b32 -S mount -S umount -S umount2 102 | 103 | ## IPC SYSV message queues 104 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 105 | ## msgctl 106 | #-a always,exit -S ipc -F a0=14 107 | ## msgget 108 | #-a always,exit -S ipc -F a0=13 109 | ## Enable if you are interested in these events (x86_64,ia64) 110 | #-a always,exit -S msgctl 111 | #-a always,exit -S msgget 112 | 113 | ## IPC SYSV semaphores 114 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 115 | ## semctl 116 | #-a always,exit -S ipc -F a0=3 117 | ## semget 118 | #-a always,exit -S ipc -F a0=2 119 | ## semop 120 | #-a always,exit -S ipc -F a0=1 121 | ## semtimedop 122 | #-a always,exit -S ipc -F a0=4 123 | ## Enable if you are interested in these events (x86_64, ia64) 124 | #-a always,exit -S semctl 125 | #-a always,exit -S semget 126 | #-a always,exit -S semop 127 | #-a always,exit -S semtimedop 128 | 129 | ## IPC SYSV shared memory 130 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 131 | ## shmctl 132 | #-a always,exit -S ipc -F a0=24 133 | ## shmget 134 | #-a always,exit -S ipc -F a0=23 135 | ## Enable if you are interested in these events (x86_64, ia64) 136 | #-a always,exit -S shmctl 137 | #-a always,exit -S shmget 138 | 139 | ## 140 | ## FIA_USB.1 141 | ## success and failure of binding user security attributes to a subject 142 | ## 143 | ## Enable if you are interested in these events 144 | ## 145 | #-a always,exit -F arch=b32 -S clone 146 | #-a always,exit -F arch=b64 -S clone 147 | #-a always,exit -F arch=b32 -S fork -S vfork 148 | #-a always,exit -F arch=b64 -S fork -S vfork 149 | ## For ia64 architecture, disable fork and vfork rules above, and 150 | ## enable the following: 151 | #-a always,exit -S clone2 152 | 153 | ## 154 | ## FMT_MSA.3 155 | ## modifications of the default setting of permissive or restrictive 156 | ## rules, all modifications of the initial value of security attributes 157 | ## 158 | ## Enable if you are interested in these events 159 | ## 160 | #-a always,exit -F arch=b32 -S umask 161 | #-a always,exit -F arch=b64 -S umask 162 | 163 | ## 164 | ## FPT_STM.1 165 | ## changes to the time 166 | ## 167 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime 168 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday 169 | -a always,exit -F arch=b32 -S clock_settime -F a0=0 170 | -a always,exit -F arch=b64 -S clock_settime -F a0=0 171 | # Introduced in 2.6.39, commented out because it can make false positives 172 | #-a always,exit -F arch=b32 -S clock_adjtime -k time-change 173 | #-a always,exit -F arch=b64 -S clock_adjtime -k time-change 174 | 175 | ## 176 | ## FTP_ITC.1 177 | ## set-up of trusted channel 178 | ## 179 | -w /usr/sbin/stunnel -p x 180 | 181 | ## 182 | ## Security Databases 183 | ## 184 | 185 | ## cron configuration & scheduled jobs 186 | -w /etc/cron.allow -p wa -k CFG_cron.allow 187 | -w /etc/cron.deny -p wa -k CFG_cron.deny 188 | -w /etc/cron.d/ -p wa -k CFG_cron.d 189 | -w /etc/cron.daily/ -p wa -k CFG_cron.daily 190 | -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly 191 | -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly 192 | -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 193 | -w /etc/crontab -p wa -k CFG_crontab 194 | -w /var/spool/cron/root -k CFG_crontab_root 195 | 196 | ## user, group, password databases 197 | -w /etc/group -p wa -k CFG_group 198 | -w /etc/passwd -p wa -k CFG_passwd 199 | -w /etc/gshadow -k CFG_gshadow 200 | -w /etc/shadow -k CFG_shadow 201 | -w /etc/security/opasswd -k CFG_opasswd 202 | 203 | ## login configuration and information 204 | -w /etc/login.defs -p wa -k CFG_login.defs 205 | -w /etc/securetty -p wa -k CFG_securetty 206 | -w /var/run/faillock/ -p wa -k LOG_faillock 207 | -w /var/log/lastlog -p wa -k LOG_lastlog 208 | -w /var/log/tallylog -p wa -k LOG_tallylog 209 | 210 | ## network configuration 211 | -w /etc/hosts -p wa -k CFG_hosts 212 | -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network 213 | 214 | ## system startup scripts 215 | -w /etc/sysconfig/init -p wa -k CFG_init 216 | -w /etc/init/ -p wa -k CFG_init 217 | -w /etc/inittab -p wa -k CFG_inittab 218 | -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts 219 | 220 | ## library search paths 221 | -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf 222 | 223 | ## local time zone 224 | -w /etc/localtime -p wa -k CFG_localtime 225 | 226 | ## kernel parameters 227 | -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf 228 | 229 | ## modprobe configuration 230 | -w /etc/modprobe.d/ -p wa -k CFG_modprobe 231 | 232 | ## pam configuration 233 | -w /etc/pam.d/ -p wa -k CFG_pam 234 | -w /etc/security/access.conf -p wa -k CFG_pam 235 | -w /etc/security/limits.conf -p wa -k CFG_pam 236 | -w /etc/security/pam_env.conf -p wa -k CFG_pam 237 | -w /etc/security/namespace.conf -p wa -k CFG_pam 238 | -w /etc/security/namespace.d/ -p wa -k CFG_pam 239 | -w /etc/security/namespace.init -p wa -k CFG_pam 240 | -w /etc/security/sepermit.conf -p wa -k CFG_pam 241 | -w /etc/security/time.conf -p wa -k CFG_pam 242 | 243 | ## postfix configuration 244 | -w /etc/aliases -p wa -k CFG_aliases 245 | -w /etc/postfix/ -p wa -k CFG_postfix 246 | 247 | ## screen configuration 248 | -w /etc/screenrc -p wa -k CFG_screen 249 | 250 | ## ssh configuration 251 | -w /etc/ssh/sshd_config -k CFG_sshd_config 252 | 253 | ## stunnel configuration 254 | -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf 255 | -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem 256 | 257 | ## sudo configuration 258 | -w /etc/sudoers -k CFG_sudoers 259 | -w /etc/sudoers.d/ -k CFG_sudoers 260 | 261 | ## Not specifically required by CAPP; but common sense items 262 | -a always,exit -F arch=b32 -S sethostname -S setdomainname 263 | -a always,exit -F arch=b64 -S sethostname -S setdomainname 264 | -w /etc/issue -p wa -k CFG_issue 265 | -w /etc/issue.net -p wa -k CFG_issue.net 266 | 267 | ## Optional - could indicate someone trying to do something bad or 268 | ## just debugging 269 | #-a always,exit -F arch=b32 -S ptrace -k paranoid 270 | #-a always,exit -F arch=b64 -S ptrace -k paranoid 271 | 272 | ## Optional - could be an attempt to bypass audit or simply legacy program 273 | #-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k paranoid 274 | #-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k paranoid 275 | 276 | ## Optional - might want to watch module insertion 277 | #-w /sbin/insmod -p x -k modules 278 | #-w /sbin/rmmod -p x -k modules 279 | #-w /sbin/modprobe -p x -k modules 280 | #-a always,exit -F arch=b32 -S init_module -S delete_module -k modules 281 | #-a always,exit -F arch=b64 -S init_module -S delete_module -k modules 282 | 283 | ## Put your own watches after this point 284 | # -w /your-file -p rwxa -k mykey 285 | 286 | ## Make the configuration immutable 287 | #-e 2 288 | -------------------------------------------------------------------------------- /templates/cis.auditd.conf.erb: -------------------------------------------------------------------------------- 1 | # 2 | # This file is managed using Chef. Any changes will be overwritten. 3 | # 4 | # This file controls the configuration of the audit daemon 5 | # 6 | 7 | log_file = /var/log/audit/audit.log 8 | log_group = root 9 | log_format = RAW 10 | flush = INCREMENTAL_ASYNC 11 | freq = 50 12 | <% if node['platform_version'].to_i == 6 %> 13 | max_log_file = 6 14 | <% elsif node['platform_version'].to_i == 7 %> 15 | max_log_file = 8 16 | local_events = yes 17 | write_logs = yes 18 | <% end %> 19 | num_logs = 5 20 | priority_boost = 4 21 | disp_qos = lossy 22 | dispatcher = /sbin/audispd 23 | name_format = NONE 24 | space_left = 75 25 | admin_space_left = 50 26 | disk_full_action = SUSPEND 27 | disk_error_action = SUSPEND 28 | use_libwrap = yes 29 | tcp_listen_queue = 5 30 | tcp_max_per_addr = 1 31 | tcp_client_max_idle = 0 32 | enable_krb5 = no 33 | krb5_principal = auditd 34 | distribute_network = no 35 | # CIS 4.1.1.2 36 | admin_space_left_action = halt 37 | # CIS 4.1.1.2 38 | space_left_action = email 39 | # CIS 4.1.1.2 40 | action_mail_acct = root 41 | # CIS 4.1.1.3 42 | max_log_file_action = keep_logs 43 | -------------------------------------------------------------------------------- /templates/cis.rules.erb: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b <%= node['auditd']['backlog'] %> 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | 15 | # CIS Benchmark Adjustments 16 | 17 | # CIS 4.1.4 18 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 19 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 20 | -a always,exit -F arch=b64 -S clock_settime -k time-change 21 | -a always,exit -F arch=b32 -S clock_settime -k time-change 22 | -w /etc/localtime -p wa -k time-change 23 | 24 | # CIS 4.1.5 25 | -w /etc/group -p wa -k identity 26 | -w /etc/passwd -p wa -k identity 27 | -w /etc/gshadow -p wa -k identity 28 | -w /etc/shadow -p wa -k identity 29 | -w /etc/security/opasswd -p wa -k identity 30 | 31 | # CIS 4.1.6 32 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 33 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 34 | -w /etc/issue -p wa -k system-locale 35 | -w /etc/issue.net -p wa -k system-locale 36 | -w /etc/hosts -p wa -k system-locale 37 | -w /etc/sysconfig/network -p wa -k system-locale 38 | -w /etc/sysconfig/network-scripts/ -p wa -k system-locale 39 | 40 | # CIS 4.1.7 41 | -w /etc/selinux/ -p wa -k MAC-policy 42 | -w /usr/share/selinux/ -p wa -k MAC-policy 43 | 44 | # CIS 4.1.8 45 | -w /var/log/lastlog -p wa -k logins 46 | -w /var/run/faillock/ -p wa -k logins 47 | 48 | # CIS 4.1.9 49 | <% if node['platform_version'].to_i == 6 %> 50 | -w /var/run/utmp -p wa -k session 51 | -w /var/log/wtmp -p wa -k session 52 | -w /var/log/btmp -p wa -k session 53 | <% elsif node['platform_version'].to_i == 7 %> 54 | -w /var/run/utmp -p wa -k session 55 | -w /var/log/wtmp -p wa -k logins 56 | -w /var/log/btmp -p wa -k logins 57 | <% end %> 58 | 59 | # CIS 4.1.10 60 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 61 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 62 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 63 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 64 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod 65 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod 66 | 67 | # CIS 4.1.11 68 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 69 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 70 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 71 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 72 | 73 | # CIS 4.1.13 74 | -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 75 | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 76 | 77 | # CIS 4.1.14 78 | <% if node['platform_version'].to_i == 6 %> 79 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 80 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 81 | <% elsif node['platform_version'].to_i == 7 %> 82 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 83 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 84 | <% end %> 85 | 86 | # CIS 4.1.15 87 | -w /etc/sudoers -p wa -k scope 88 | -w /etc/sudoers.d/ -p wa -k scope 89 | 90 | # CIS 4.1.16 91 | -w /var/log/sudo.log -p wa -k actions 92 | 93 | # CIS 4.1.17 94 | -w /sbin/insmod -p x -k modules 95 | -w /sbin/rmmod -p x -k modules 96 | -w /sbin/modprobe -p x -k modules 97 | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules 98 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 99 | 100 | # CIS 4.1.12 101 | -a always,exit -F path=/bin/cgexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 102 | -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 103 | -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 104 | -a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 105 | -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 106 | -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 107 | -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 108 | -a always,exit -F path=/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 109 | -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 110 | <% dbus = [ 111 | '/usr/libexec/dbus-1/dbus-daemon-launch-helper', 112 | '/lib64/dbus-1/dbus-daemon-launch-helper' 113 | ].find { |f| ::File.exist?(f) } %> 114 | -a always,exit -F path=<%= dbus %> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 115 | 116 | # CIS 4.1.18 117 | -e 2 118 | -------------------------------------------------------------------------------- /templates/default.rules.erb: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b <%= node['auditd']['backlog'] %> 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | -------------------------------------------------------------------------------- /templates/lspp.rules.erb: -------------------------------------------------------------------------------- 1 | ## 2 | ## This file contains a sample audit configuration. Combined with the 3 | ## system events that are audited by default, this set of rules causes 4 | ## audit to generate records for the auditable events specified by the 5 | ## Labeled Security Protection Profile (LSPP). 6 | ## 7 | ## It should be noted that this set of rules identifies directories by 8 | ## leaving a / at the end of the path. 9 | ## 10 | ## For audit 2.0.6 and higher 11 | ## 12 | 13 | ## Remove any existing rules 14 | -D 15 | 16 | ## Increase buffer size to handle the increased number of messages. 17 | ## Feel free to increase this if the machine panic's 18 | -b 8192 19 | 20 | ## Set failure mode to panic 21 | -f 2 22 | 23 | ## 24 | ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 25 | ## successful and unsuccessful attempts to read information from the 26 | ## audit records; all modifications to the audit trail 27 | ## 28 | -w /var/log/audit/ -k LOG_audit 29 | 30 | ## 31 | ## FAU_SEL.1, FMT_MTD.1 32 | ## modifications to audit configuration that occur while the audit 33 | ## collection functions are operating; all modications to the set of 34 | ## audited events 35 | ## 36 | -w /etc/audit/ -p wa -k CFG_audit 37 | -w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf 38 | -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf 39 | -w /etc/audisp/ -p wa -k CFG_audisp 40 | 41 | ## 42 | ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2 43 | ## all requests to perform an operation on an object covered by the 44 | ## SFP; all modifications of the values of security attributes; 45 | ## modifications to TSF data; attempts to revoke security attributes; 46 | ## all attempts to export information; all attempts to import user 47 | ## data, including any security attributes 48 | 49 | ## Objects covered by the Security Functional Policy (SFP) are: 50 | ## -File system objects (files, directories, special files, extended attributes) 51 | ## -IPC objects (SYSV shared memory, message queues, and semaphores) 52 | 53 | ## Operations on file system objects - by default, only monitor 54 | ## files and directories covered by filesystem watches. 55 | 56 | ## Changes in ownership and permissions 57 | #-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat 58 | #-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat 59 | #-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown 60 | #-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown 61 | ## Enable *32 rules if you are running on i386 or s390 62 | ## Do not use for x86_64, ia64, ppc, ppc64, or s390x 63 | #-a always,exit -F arch=b32 -S fchown32 -S chown32 -S lchown32 64 | 65 | ## File content modification. Permissions are checked at open time, 66 | ## monitoring individual read/write calls is not useful. 67 | #-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate 68 | #-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate 69 | ## Enable *64 rules if you are running on i386, ppc, ppc64, s390 70 | ## Do not use for x86_64, ia64, or s390x 71 | #-a always,exit -F arch=b32 -S truncate64 -S ftruncate64 72 | 73 | ## directory operations 74 | #-a always,exit -F arch=b32 -S mkdir -S mkdirat -S rmdir 75 | #-a always,exit -F arch=b64 -S mkdir -S mkdirat -S rmdir 76 | 77 | ## moving, removing, and linking 78 | #-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat 79 | #-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat 80 | #-a always,exit -F arch=b32 -S link -S linkat -S symlink -S symlinkat 81 | #-a always,exit -F arch=b64 -S link -S linkat -S symlink -S symlinkat 82 | 83 | ## Extended attribute operations 84 | ## Enable if you are interested in these events 85 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr 86 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr 87 | 88 | ## special files 89 | -a always,exit -F arch=b32 -S mknod -S mknodat 90 | -a always,exit -F arch=b64 -S mknod -S mknodat 91 | 92 | ## Other file system operations 93 | ## Enable if i386 94 | -a always,exit -F arch=b32 -S mount -S umount -S umount2 95 | ## Enable if ppc, s390, or s390x 96 | #-a always,exit -F arch=b32 -S mount -S umount -S umount2 97 | #-a always,exit -F arch=b64 -S mount -S umount -S umount2 98 | ## Enable if ia64 99 | #-a always,exit -F arch=b64 -S mount -S umount 100 | ## Enable if x86_64 101 | #-a always,exit -F arch=b64 -S mount -S umount2 102 | #-a always,exit -F arch=b32 -S mount -S umount -S umount2 103 | 104 | ## IPC SYSV message queues 105 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 106 | ## msgctl 107 | #-a always,exit -S ipc -F a0=14 108 | ## msgget 109 | #-a always,exit -S ipc -F a0=13 110 | ## Enable if you are interested in these events (x86_64,ia64) 111 | #-a always,exit -S msgctl 112 | #-a always,exit -S msgget 113 | 114 | ## IPC SYSV semaphores 115 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 116 | ## semctl 117 | #-a always,exit -S ipc -F a0=3 118 | ## semget 119 | #-a always,exit -S ipc -F a0=2 120 | ## semop 121 | #-a always,exit -S ipc -F a0=1 122 | ## semtimedop 123 | #-a always,exit -S ipc -F a0=4 124 | ## Enable if you are interested in these events (x86_64, ia64) 125 | #-a always,exit -S semctl 126 | #-a always,exit -S semget 127 | #-a always,exit -S semop 128 | #-a always,exit -S semtimedop 129 | 130 | ## IPC SYSV shared memory 131 | ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) 132 | ## shmctl 133 | #-a always,exit -S ipc -F a0=24 134 | ## shmget 135 | #-a always,exit -S ipc -F a0=23 136 | ## Enable if you are interested in these events (x86_64, ia64) 137 | #-a always,exit -S shmctl 138 | #-a always,exit -S shmget 139 | 140 | ## 141 | ## FIA_USB.1 142 | ## success and failure of binding user security attributes to a subject 143 | ## 144 | ## Enable if you are interested in these events 145 | ## 146 | #-a always,exit -F arch=b32 -S clone 147 | #-a always,exit -F arch=b64 -S clone 148 | #-a always,exit -F arch=b32 -S fork -S vfork 149 | #-a always,exit -F arch=b64 -S fork -S vfork 150 | ## For ia64 architecture, disable fork and vfork rules above, and 151 | ## enable the following: 152 | #-a always,exit -S clone2 153 | 154 | ## 155 | ## FDP_ETC.2 156 | ## Export of Labeled User Data 157 | ## 158 | ## Printing 159 | -w /etc/cups/ -p wa -k CFG_cups 160 | -w /etc/init.d/cups -p wa -k CFG_initd_cups 161 | 162 | ## 163 | ## FDP_ETC.2, FDP_ITC.2 164 | ## Export/Import of Labeled User Data 165 | ## 166 | ## Networking 167 | -w /etc/netlabel.rules -p wa -k CFG_netlabel.rules 168 | -w /etc/ipsec.conf -p wa -k CFG_ipsec.conf 169 | -w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf 170 | -w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets 171 | 172 | ## 173 | ## FDP_IFC.1 174 | ## Mandatory Access Control Policy 175 | ## 176 | -w /etc/selinux/config -p wa -k CFG_selinux_config 177 | -w /etc/selinux/mls/ -p wa -k CFG_MAC_policy 178 | -w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy 179 | -w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy 180 | 181 | ## 182 | ## FMT_MSA.3 183 | ## modifications of the default setting of permissive or restrictive 184 | ## rules, all modifications of the initial value of security attributes 185 | ## 186 | ## Enable if you are interested in these events 187 | ## 188 | #-a always,exit -F arch=b32 -S umask 189 | #-a always,exit -F arch=b64 -S umask 190 | 191 | ## 192 | ## FPT_STM.1 193 | ## changes to the time 194 | ## 195 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime 196 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday 197 | -a always,exit -F arch=b32 -S clock_settime -F a0=0 198 | -a always,exit -F arch=b64 -S clock_settime -F a0=0 199 | # Introduced in 2.6.39, commented out because it can make false positives 200 | #-a always,exit -F arch=b32 -S clock_adjtime -k time-change 201 | #-a always,exit -F arch=b64 -S clock_adjtime -k time-change 202 | 203 | ## 204 | ## FTP_ITC.1 205 | ## set-up of trusted channel 206 | ## 207 | -w /usr/sbin/stunnel -p x 208 | 209 | ## 210 | ## FPT_TST.1 Self Test 211 | ## aide is used to verify integrity of data and executables 212 | ## 213 | -w /etc/aide.conf -p wa -k CFG_aide.conf 214 | -w /var/lib/aide/aide.db.gz -k CFG_aide.db 215 | -w /var/lib/aide/aide.db.new.gz -k CFG_aide.db 216 | -w /var/log/aide/ -p wa -k CFG_aide.log 217 | 218 | ## 219 | ## Security Databases 220 | ## 221 | 222 | ## cron configuration & scheduled jobs 223 | -w /etc/cron.allow -p wa -k CFG_cron.allow 224 | -w /etc/cron.deny -p wa -k CFG_cron.deny 225 | -w /etc/cron.d/ -p wa -k CFG_cron.d 226 | -w /etc/cron.daily/ -p wa -k CFG_cron.daily 227 | -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly 228 | -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly 229 | -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 230 | -w /etc/crontab -p wa -k CFG_crontab 231 | -w /var/spool/cron/root -k CFG_crontab_root 232 | 233 | ## user, group, password databases 234 | -w /etc/group -p wa -k CFG_group 235 | -w /etc/passwd -p wa -k CFG_passwd 236 | -w /etc/gshadow -k CFG_gshadow 237 | -w /etc/shadow -k CFG_shadow 238 | -w /etc/security/opasswd -k CFG_opasswd 239 | 240 | ## login configuration and information 241 | -w /etc/login.defs -p wa -k CFG_login.defs 242 | -w /etc/securetty -p wa -k CFG_securetty 243 | -w /var/run/faillock/ -p wa -k LOG_faillock 244 | -w /var/log/lastlog -p wa -k LOG_lastlog 245 | -w /var/log/tallylog -p wa -k LOG_tallylog 246 | 247 | ## network configuration 248 | -w /etc/hosts -p wa -k CFG_hosts 249 | -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network 250 | 251 | ## system startup scripts 252 | -w /etc/sysconfig/init -p wa -k CFG_init 253 | -w /etc/init/ -p wa -k CFG_init 254 | -w /etc/inittab -p wa -k CFG_inittab 255 | -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts 256 | 257 | ## library search paths 258 | -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf 259 | 260 | ## local time zone 261 | -w /etc/localtime -p wa -k CFG_localtime 262 | 263 | ## kernel parameters 264 | -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf 265 | 266 | ## modprobe configuration 267 | -w /etc/modprobe.d/ -p wa -k CFG_modprobe 268 | 269 | ## pam configuration 270 | -w /etc/pam.d/ -p wa -k CFG_pam 271 | -w /etc/security/access.conf -p wa -k CFG_pam 272 | -w /etc/security/limits.conf -p wa -k CFG_pam 273 | -w /etc/security/pam_env.conf -p wa -k CFG_pam 274 | -w /etc/security/namespace.conf -p wa -k CFG_pam 275 | -w /etc/security/namespace.d/ -p wa -k CFG_pam 276 | -w /etc/security/namespace.init -p wa -k CFG_pam 277 | -w /etc/security/sepermit.conf -p wa -k CFG_pam 278 | -w /etc/security/time.conf -p wa -k CFG_pam 279 | 280 | ## postfix configuration 281 | -w /etc/aliases -p wa -k CFG_aliases 282 | -w /etc/postfix/ -p wa -k CFG_postfix 283 | 284 | ## screen configuration 285 | -w /etc/screenrc -p wa -k CFG_screen 286 | 287 | ## ssh configuration 288 | -w /etc/ssh/sshd_config -k CFG_sshd_config 289 | 290 | ## stunnel configuration 291 | -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf 292 | -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem 293 | 294 | ## sudo configuration 295 | -w /etc/sudoers -k CFG_sudoers 296 | -w /etc/sudoers.d/ -k CFG_sudoers 297 | 298 | ## xinetd configuration 299 | -w /etc/xinetd.d/ -k CFG_xinetd.d 300 | -w /etc/xinetd.conf -k CFG_xinetd.conf 301 | 302 | ## Not specifically required by LSPP; but common sense items 303 | -a always,exit -F arch=b32 -S sethostname -S setdomainname 304 | -a always,exit -F arch=b64 -S sethostname -S setdomainname 305 | -w /etc/issue -p wa -k CFG_issue 306 | -w /etc/issue.net -p wa -k CFG_issue.net 307 | 308 | ## Optional - could indicate someone trying to do something bad or 309 | ## just debugging 310 | #-a always,exit -F arch=b32 -S ptrace -k paranoid 311 | #-a always,exit -F arch=b64 -S ptrace -k paranoid 312 | 313 | ## Optional - could be an attempt to bypass audit or simply legacy program 314 | #-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k paranoid 315 | #-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k paranoid 316 | 317 | ## Optional - might want to watch module insertion 318 | #-w /sbin/insmod -p x -k modules 319 | #-w /sbin/rmmod -p x -k modules 320 | #-w /sbin/modprobe -p x -k modules 321 | #-a always,exit -F arch=b32 -S init_module -S delete_module -k modules 322 | #-a always,exit -F arch=b64 -S init_module -S delete_module -k modules 323 | 324 | ## Put your own watches after this point 325 | # -w /your-file -p rwxa -k mykey 326 | 327 | ## Make the configuration immutable 328 | #-e 2 329 | -------------------------------------------------------------------------------- /templates/nispom.rules.erb: -------------------------------------------------------------------------------- 1 | ## 2 | ## This file contains the a sample audit configuration intended to 3 | ## meet the NISPOM Chapter 8 rules. 4 | ## 5 | ## This file should be saved as /etc/audit/audit.rules. 6 | ## 7 | ## For audit 1.6.5 and higher 8 | ## 9 | 10 | ## Remove any existing rules 11 | -D 12 | 13 | ## Increase buffer size to handle the increased number of messages. 14 | ## Feel free to increase this if the machine panic's 15 | -b 8192 16 | 17 | ## Set failure mode to panic 18 | -f 2 19 | 20 | ## Audit 1, 1(a) Enough information to determine the date and time of 21 | ## action (e.g., common network time), the system locale of the action, 22 | ## the system entity that initiated or completed the action, the resources 23 | ## involved, and the action involved. 24 | 25 | ## Things that could affect time 26 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 27 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 28 | -a always,exit -F arch=b32 -S clock_settime -F a0=0 -k time-change 29 | -a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change 30 | # Introduced in 2.6.39, commented out because it can make false positives 31 | #-a always,exit -F arch=b32 -S clock_adjtime -k time-change 32 | #-a always,exit -F arch=b64 -S clock_adjtime -k time-change 33 | -w /etc/localtime -p wa -k time-change 34 | 35 | ## Things that could affect system locale 36 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 37 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 38 | -w /etc/issue -p wa -k system-locale 39 | -w /etc/issue.net -p wa -k system-locale 40 | -w /etc/hosts -p wa -k system-locale 41 | -w /etc/sysconfig/network -p wa -k system-locale 42 | 43 | ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. 44 | ## This is covered by patches to login, gdm, and openssh 45 | ## Might also want to watch these files if needing extra information 46 | #-w /var/log/tallylog -p wa -k logins 47 | #-w /var/run/faillock/ -p wa -k logins 48 | #-w /var/log/lastlog -p wa -k logins 49 | #-w /var/log/btmp -p wa -k logins 50 | #-w /var/run/utmp -p wa -k logins 51 | 52 | ## Audit 1, 1(c) Successful and unsuccessful accesses to 53 | ## security-relevant objects and directories, including 54 | ## creation, open, close, modification, and deletion. 55 | 56 | ## unsuccessful creation 57 | -a always,exit -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation 58 | -a always,exit -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation 59 | -a always,exit -F arch=b32 -S mkdir -S mkdirat -S link -S symlink -F exit=-EPERM -k creation 60 | -a always,exit -F arch=b64 -S mkdir -S mkdirat -S link -S symlink -F exit=-EPERM -k creation 61 | 62 | ## unsuccessful open 63 | -a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -F exit=-EACCES -k open 64 | -a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -F exit=-EACCES -k open 65 | -a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -F exit=-EPERM -k open 66 | -a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -F exit=-EPERM -k open 67 | 68 | ## unsuccessful close 69 | -a always,exit -F arch=b32 -S close -F exit=-EIO -k close 70 | -a always,exit -F arch=b64 -S close -F exit=-EIO -k close 71 | 72 | ## unsuccessful modifications 73 | -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k mods 74 | -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k mods 75 | -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k mods 76 | -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k mods 77 | 78 | ## unsuccessful deletion 79 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -F exit=-EACCES -k delete 80 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EACCES -k delete 81 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -F exit=-EPERM -k delete 82 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EPERM -k delete 83 | 84 | ## Audit 1, 1(d) Changes in user authenticators. 85 | ## Covered by patches to libpam, passwd, and shadow-utils 86 | ## Might also want to watch these files for changes 87 | -w /etc/group -p wa -k auth 88 | -w /etc/passwd -p wa -k auth 89 | -w /etc/gshadow -p wa -k auth 90 | -w /etc/shadow -p wa -k auth 91 | -w /etc/security/opasswd -p wa -k auth 92 | 93 | ## Audit 1, 1(e) The blocking or blacklisting of a user ID, 94 | ## terminal, or access port and the reason for the action. 95 | ## Covered by patches to pam_tally2 or pam_faillock and pam_limits 96 | 97 | ## Audit 1, 1(f) Denial of access resulting from an excessive 98 | ## number of unsuccessful logon attempts. 99 | ## Covered by patches to pam_tally2 or pam_faillock 100 | 101 | ## Audit 1, 2 Audit Trail Protection. The contents of audit trails 102 | ## shall be protected against unauthorized access, modification, 103 | ## or deletion. 104 | ## This should be covered by file permissions, but we can watch it 105 | ## to see any activity 106 | -w /var/log/audit/ -k audit-logs 107 | 108 | ## Not specifically required by NISPOM; but common sense items 109 | ## Optional - could indicate someone trying to do something bad or 110 | ## just debugging 111 | #-a always,exit -F arch=b32 -S ptrace -k paranoid 112 | #-a always,exit -F arch=b64 -S ptrace -k paranoid 113 | 114 | ## Optional - could be an attempt to bypass audit or simply legacy program 115 | #-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k paranoid 116 | #-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k paranoid 117 | 118 | ## Optional - might want to watch module insertion 119 | #-w /sbin/insmod -p x -k modules 120 | #-w /sbin/rmmod -p x -k modules 121 | #-w /sbin/modprobe -p x -k modules 122 | #-a always,exit -F arch=b32 -S init_module -S delete_module -k modules 123 | #-a always,exit -F arch=b64 -S init_module -S delete_module -k modules 124 | 125 | ## Put your own watches after this point 126 | # -w /your-file -p rwxa -k mykey 127 | 128 | ## Make the configuration immutable 129 | #-e 2 130 | -------------------------------------------------------------------------------- /templates/stig.rules.erb: -------------------------------------------------------------------------------- 1 | ## Managed by Chef - do not edit - 2 | ## This file contains the auditctl rules that are loaded 3 | ## whenever the audit daemon is started via the initscripts. 4 | ## The rules are simply the parameters that would be passed 5 | ## to auditctl. 6 | ## 7 | ## First rule - delete all 8 | -D 9 | 10 | ## Increase the buffers to survive stress events. 11 | ## Make this bigger for busy systems 12 | -b 8192 13 | 14 | ## Set failure mode to panic 15 | -f 2 16 | 17 | ## NOTE: 18 | ## 1) if this is being used on a 32 bit machine, comment out the b64 lines 19 | ## 2) These rules assume that login under the root account is not allowed. 20 | ## 3) It is also assumed that 500 represents the first usable user account. To 21 | ## be sure, look at UID_MIN in /etc/login.defs. 22 | ## 4) If these rules generate too much spurious data for your tastes, limit the 23 | ## the syscall file rules with a directory, like -F dir=/etc 24 | ## 5) You can search for the results on the key fields in the rules 25 | ## 26 | ## 27 | ## (GEN002880: CAT II) The IAO will ensure the auditing software can 28 | ## record the following for each audit event: 29 | ##- Date and time of the event 30 | ##- Userid that initiated the event 31 | ##- Type of event 32 | ##- Success or failure of the event 33 | ##- For I&A events, the origin of the request (e.g., terminal ID) 34 | ##- For events that introduce an object into a user’s address space, and 35 | ## for object deletion events, the name of the object, and in MLS 36 | ## systems, the object’s security level. 37 | ## 38 | ## Things that could affect time 39 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 40 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 41 | -a always,exit -F arch=b32 -S clock_settime -F a0=0 -k time-change 42 | -a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change 43 | # Introduced in 2.6.39, commented out because it can make false positives 44 | #-a always,exit -F arch=b32 -S clock_adjtime -k time-change 45 | #-a always,exit -F arch=b64 -S clock_adjtime -k time-change 46 | -w /etc/localtime -p wa -k time-change 47 | 48 | ## Things that affect identity 49 | -w /etc/group -p wa -k identity 50 | -w /etc/passwd -p wa -k identity 51 | -w /etc/gshadow -p wa -k identity 52 | -w /etc/shadow -p wa -k identity 53 | -w /etc/security/opasswd -p wa -k identity 54 | 55 | ## Things that could affect system locale 56 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 57 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 58 | -w /etc/issue -p wa -k system-locale 59 | -w /etc/issue.net -p wa -k system-locale 60 | -w /etc/hosts -p wa -k system-locale 61 | -w /etc/sysconfig/network -p wa -k system-locale 62 | 63 | ## Things that could affect MAC policy 64 | -w /etc/selinux/ -p wa -k MAC-policy 65 | 66 | 67 | ## (GEN002900: CAT III) The IAO will ensure audit files are retained at 68 | ## least one year; systems containing SAMI will be retained for five years. 69 | ## 70 | ## Site action - no action in config files 71 | 72 | ## (GEN002920: CAT III) The IAO will ensure audit files are backed up 73 | ## no less than weekly onto a different system than the system being 74 | ## audited or backup media. 75 | ## 76 | ## Can be done with cron script 77 | 78 | ## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data 79 | ## files have permissions of 640, or more restrictive. 80 | ## 81 | ## Done automatically by auditd 82 | 83 | ## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will 84 | ## configure the auditing system to audit the following events for all 85 | ## users and root: 86 | ## 87 | ## - Logon (unsuccessful and successful) and logout (successful) 88 | ## 89 | ## Handled by pam, sshd, login, and gdm 90 | ## Might also want to watch these files if needing extra information 91 | #-w /var/log/tallylog -p wa -k logins 92 | #-w /var/run/faillock/ -p wa -k logins 93 | #-w /var/log/lastlog -p wa -k logins 94 | 95 | 96 | ##- Process and session initiation (unsuccessful and successful) 97 | ## 98 | ## The session initiation is audited by pam without any rules needed. 99 | ## Might also want to watch this file if needing extra information 100 | #-w /var/run/utmp -p wa -k session 101 | #-w /var/log/btmp -p wa -k session 102 | #-w /var/log/wtmp -p wa -k session 103 | 104 | ##- Discretionary access control permission modification (unsuccessful 105 | ## and successful use of chown/chmod) 106 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 107 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 108 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 109 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 110 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 111 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 112 | 113 | ##- Unauthorized access attempts to files (unsuccessful) 114 | -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 115 | -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 116 | -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 117 | -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 118 | 119 | ##- Use of privileged commands (unsuccessful and successful) 120 | ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this 121 | -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 122 | 123 | ##- Use of print command (unsuccessful and successful) 124 | 125 | ##- Export to media (successful) 126 | ## You have to mount media before using it. You must disable all automounting 127 | ## so that its done manually in order to get the correct user requesting the 128 | ## export 129 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export 130 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export 131 | 132 | ##- System startup and shutdown (unsuccessful and successful) 133 | 134 | ##- Files and programs deleted by the user (successful and unsuccessful) 135 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 136 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 137 | 138 | ##- All system administration actions 139 | ##- All security personnel actions 140 | ## 141 | ## Look for pam_tty_audit and add it to your login entry point's pam configs. 142 | ## If that is not found, use sudo which should be patched to record its 143 | ## commands to the audit system. Do not allow unrestricted root shells or 144 | ## sudo cannot record the action. 145 | -w /etc/sudoers -p wa -k actions 146 | 147 | ## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will 148 | ##ensure old audit logs are closed and new audit logs are started daily. 149 | ## 150 | ## Site action. Can be assisted by a cron job 151 | 152 | ## Not specifically required by the STIG; but common sense items 153 | ## Optional - could indicate someone trying to do something bad or 154 | ## just debugging 155 | #-a always,exit -F arch=b32 -S ptrace -k tracing 156 | #-a always,exit -F arch=b64 -S ptrace -k tracing 157 | #-a always,exit -F arch=b32 -S ptrace -F a0=4 -k code-injection 158 | #-a always,exit -F arch=b64 -S ptrace -F a0=4 -k code-injection 159 | #-a always,exit -F arch=b32 -S ptrace -F a0=5 -k data-injection 160 | #-a always,exit -F arch=b64 -S ptrace -F a0=5 -k data-injection 161 | #-a always,exit -F arch=b32 -S ptrace -F a0=6 -k register-injection 162 | #-a always,exit -F arch=b64 -S ptrace -F a0=6 -k register-injection 163 | 164 | ## Optional - could be an attempt to bypass audit or simply legacy program 165 | #-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k bypass 166 | #-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k bypass 167 | 168 | ## Optional - might want to watch module insertion 169 | #-w /sbin/insmod -p x -k modules 170 | #-w /sbin/rmmod -p x -k modules 171 | #-w /sbin/modprobe -p x -k modules 172 | #-a always,exit -F arch=b32 -S init_module -S finit_module -k module-load 173 | #-a always,exit -F arch=b64 -S init_module -S finit_module -k module-load 174 | #-a always,exit -F arch=b32 -S delete_module -k module-unload 175 | #-a always,exit -F arch=b64 -S delete_module -k module-unload 176 | 177 | ## Optional - admin may be abusing power by looking in user's home dir 178 | #-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse 179 | 180 | ## Optional - log container creation 181 | #-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create 182 | #-a always,exit -F arch=b64 -S clone -F a0&2080505856 -k container-create 183 | 184 | ## Optional - watch for containers that may change their configuration 185 | #-a always,exit -F arch=b32 -S setns -S unshare -k container-config 186 | #-a always,exit -F arch=b64 -S setns -S unshare -k container-config 187 | 188 | ## Put your own watches after this point 189 | # -w /your-file -p rwxa -k mykey 190 | 191 | ## Make the configuration immutable - reboot is required to change audit rules 192 | -e 2 193 | 194 | -------------------------------------------------------------------------------- /test/integration/capp/run_spec.rb: -------------------------------------------------------------------------------- 1 | # AuditD CAPP - Smoke Test 2 | 3 | # Service 4 | describe service('auditd') do 5 | it { should be_installed } 6 | it { should be_enabled } 7 | it { should be_running } 8 | end 9 | 10 | # => Audit Rules should have some Content 11 | describe file('/etc/audit/audit.rules') do 12 | it { should be_file } 13 | # => This could probably be made better... 14 | its('content') { should match(%r{-w /etc/passwd -p wa -k CFG_passwd}) } 15 | end 16 | -------------------------------------------------------------------------------- /test/integration/cis/run_spec.rb: -------------------------------------------------------------------------------- 1 | # AuditD CIS - Smoke Test 2 | 3 | # Service 4 | describe service('auditd') do 5 | it { should be_installed } 6 | it { should be_enabled } 7 | it { should be_running } 8 | end 9 | 10 | # => Audit Rules should have some Content 11 | describe file('/etc/audit/audit.rules') do 12 | it { should be_file } 13 | its('content') { should match(/-a always,exit -F arch=b32 -S init_module -S delete_module -k modules/) } 14 | end 15 | 16 | # => Audit Rules should have some Content 17 | OS = os[:release].to_i 18 | describe file('/etc/audit/audit.rules') do 19 | if OS == 6 20 | its('content') { should match(%r{-w /var/log/btmp -p wa -k session}) } 21 | elsif OS == 7 22 | its('content') { should match(%r{-w /var/log/btmp -p wa -k logins}) } 23 | end 24 | end 25 | 26 | # => Auditd conf should have some Content 27 | describe file('/etc/audit/auditd.conf') do 28 | it { should be_file } 29 | it { should be_owned_by 'root' } 30 | it { should be_grouped_into 'root' } 31 | its('mode') { should cmp '0640' } 32 | its('content') { should match(/\# This file is managed using Chef./) } 33 | end 34 | 35 | # => Ensure no errors loading the Auditd Configuration 36 | describe command('/sbin/augenrules --load') do 37 | its('exit_status') { should eq 0 } 38 | end 39 | -------------------------------------------------------------------------------- /test/integration/default/run_spec.rb: -------------------------------------------------------------------------------- 1 | # AuditD - Smoke Test 2 | 3 | # Service 4 | describe service('auditd') do 5 | it { should be_installed } 6 | it { should be_enabled } 7 | it { should be_running } 8 | end 9 | 10 | # => Audit Rules File should Exist 11 | describe file('/etc/audit/audit.rules') do 12 | it { should be_file } 13 | end 14 | -------------------------------------------------------------------------------- /test/integration/stig/run_spec.rb: -------------------------------------------------------------------------------- 1 | # AuditD STIG - Smoke Test 2 | 3 | # Service 4 | describe service('auditd') do 5 | it { should be_installed } 6 | it { should be_enabled } 7 | it { should be_running } 8 | end 9 | 10 | # => Audit Rules should have some Content 11 | describe file('/etc/audit/audit.rules') do 12 | it { should be_file } 13 | # => This could probably be made better... 14 | its('content') { should match(%r{/etc/sudoers -p wa -k actions}) } 15 | end 16 | --------------------------------------------------------------------------------