Puppet Class: toughen::auditing

Defined in:
manifests/auditing.pp

Overview

Class: toughen::auditing

Parameters:

  • max_log_file_size (Any) (defaults to: 10)
  • max_log_file_action (Any) (defaults to: 'keep_logs')
  • space_left_action (Any) (defaults to: 'email')
  • action_mail_account (Any) (defaults to: 'root')
  • admin_space_left_action (Any) (defaults to: 'halt')
  • flush (Any) (defaults to: 'data') 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'manifests/auditing.pp', line 3

class toughen::auditing (
  $max_log_file_size = 10,
  $max_log_file_action = 'keep_logs',
  $space_left_action = 'email',
  $action_mail_account = 'root',
  $admin_space_left_action = 'halt',
  $flush = 'data'
){

  # TODO: Find setuid binaries and check if they're being monitored by auditd
  # ///modules/cis/linuxcontrols/scripts/f0023.sh

  case $::operatingsystem {
    /^(CentOS|RedHat)$/: {
      case $::operatingsystemmajrelease {
        /^(6|7)$/: {
          kernel_parameter { 'audit':
            ensure => present,
            value  => 1,
          }
        }
        default: {
          fail("Version ${::operatingsystemmajrelease} of RedHat/CentOS is not supported")
        }
      }

      class { 'auditd':
        max_log_file            => $max_log_file_size,
        max_log_file_action     => $max_log_file_action,
        space_left_action       => $space_left_action,
        action_mail_acct        => $action_mail_account,
        admin_space_left_action => $admin_space_left_action,
        flush                   => $flush,
      }

      $rules = [
        '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change',
        '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change',
        '-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change',
        '-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change',
        '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale',
        '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale',
        '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod',
        '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access',
        '-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access',
        '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access',
        '-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access',
        '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
        '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
        '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete',
        '-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete',
        '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export',
        '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export',
        '-a always,exit -F arch=b64 -S init_module -S delete_module -k modules',
        '-a always,exit -F arch=b32 -S init_module -S delete_module -k modules',
        '-w /etc/localtime -p wa -k time-change',
        '-w /etc/group -p wa -k identity',
        '-w /etc/passwd -p wa -k identity',
        '-w /etc/gshadow -p wa -k identity',
        '-w /etc/shadow -p wa -k identity',
        '-w /etc/security/opasswd -p wa -k identity',
        '-w /etc/issue -p wa -k system-locale',
        '-w /etc/issue.net -p wa -k system-locale',
        '-w /etc/hosts -p wa -k system-locale',
        '-w /etc/sysconfig/network -p wa -k system-locale',
        '-w /etc/selinux/ -p wa -k MAC-policy',
        '-w /var/log/tallylog -p wa -k logins',
        '-w /var/run/faillock/ -p wa -k logins',
        '-w /var/log/lastlog -p wa -k logins',
        '-w /var/run/utmp -p wa -k session',
        '-w /var/log/wtmp -p wa -k session',
        '-w /var/log/btmp -p wa -k session',
        '-w /etc/sudoers -p wa -k scope',
        '-w /etc/sudoers.d -p wa -k scope',
        '-w /var/log/sudo.log -p wa -k actions',
        '-w /usr/sbin/insmod -p x -k modules',
        '-w /usr/sbin/rmmod -p x -k modules',
        '-w /usr/sbin/modprobe -p x -k modules',
      ]
      auditd::rule { $rules: }

      auditd::rule { 'immutable':
        content => '-e 2',
        order   => '999',
      }

      # Use the custom fact defined by this module
      $binary_array = split($::privileged_commands, ',')
      toughen::audit_priv_command { $binary_array: }
    }
    default: {
      fail("OS ${::operatingsystem} is not supported")
    }
  }
}