Puppet Class: auditd::config::audit_profiles::stig

Defined in:
manifests/config/audit_profiles/stig.pp

Summary

A set of audit rules that are configured to satisfy DISA STIG compliance checks for EL7.

Overview

The defaults for this profile generate a set of audit rules that conform to automated DISA STIG compliance checks for RHEL7. Satisfying the checks, instead of the intent of the security requirements, necessitates unoptimized rules. These unoptimized rules, in turn, negatively impact system performance.

WARNING: **These rules may overload your system and/or log server!**

When auditd performance is an issue, you may wish to

  • Disable capabilities that, despite being required by DISA STIG for RHEL7, produce large amounts audit records of limited utility. ‘chmod` auditing for all non-service users falls in this category.

  • Use the optimized ‘auditd::config::audit_profiles::simp’ profile, instead. That profile is more comprehensive and performant.

Parameters:

  • uid_min (Integer[0]) (defaults to: $::auditd::uid_min)

    The minimum UID for human users on the system. Any audit events generated by users below this number will be ignored unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using ‘auditd::rule`, you can create such a rule by setting the `absolute` parameter to be ’first’.

  • audit_unsuccessful_file_operations (Boolean) (defaults to: true)

    Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

  • audit_unsuccessful_file_operations_tag (String[1]) (defaults to: 'access')

    The tag to identify the unsuccessful file operations in an audit record

  • audit_chown (Boolean) (defaults to: true)

    Whether to audit ‘chown` operations for all non-service users. These operations are provided by `chown`, `fchown`, `fchownat`, and `lchown` system calls.

  • audit_chown_tag (String[1]) (defaults to: 'perm_mod')

    The tag to identify ‘chown` operations in an audit record

  • audit_chmod (Boolean) (defaults to: true)

    Whether to audit ‘chmod` operations for all non-service users. These operations are provided by `chmod`, `fchmod`, and `fchmodat` system calls.

  • audit_chmod_tag (String[1]) (defaults to: 'perm_mod')

    The tag to identify ‘chmod` operations in an audit record

  • audit_attr (Boolean) (defaults to: true)

    Whether to audit ‘xattr` operations for all non-service users. These operations are provided by `setxattr`, `lsetxattr`, `fsetxattr`, `removexattr`, `lremovexattr` and `fremovexattr` system calls.

  • audit_attr_tag (String[1]) (defaults to: 'perm_mod')

    The tag to identify ‘xattr` operations in an audit record

  • audit_rename_remove (Boolean) (defaults to: true)

    Whether to audit rename/remove operations for all non-service users. These operations are provided by ‘rename`, `renameat`, `rmdir`, `unlink`, and `unlinkat` system calls.

  • audit_rename_remove_tag (String[1]) (defaults to: 'delete')

    The tag to identify rename/remove operations in an audit record

  • audit_suid_sgid (Boolean) (defaults to: true)

    Whether to audit ‘setuid`/`setgid` commands

  • default_suid_sgid_cmds (Array[String[1]])

    The default list of ‘setuid`/`setgid` commands to be audited.

    • Should not include commands audited by other rules.

  • suid_sgid_cmds (Array[String[1]]) (defaults to: [])

    Additional list of ‘setuid`/`setgid` commands to be audited. You can use this to augment the `$default_suid_sgid_cmds` per your site’s needs.

  • audit_suid_tag (String[1]) (defaults to: 'setuid')

    The tag to identify ‘setuid` command execution in an audit record

  • audit_sgid_tag (String[1]) (defaults to: 'setgid')

    The tag to identify ‘setgid` command execution in an audit record

  • audit_suid_sgid_tag (String[1]) (defaults to: "${audit_suid_tag}/${audit_sgid_tag}")

    The tag to identify ‘setuid`/`setgid` command execution in an audit record

  • audit_kernel_modules (Boolean) (defaults to: true)

    Whether to audit kernel module operations

  • audit_kernel_modules_tag (String[1]) (defaults to: 'module-change')

    The tag to identify kernel module operations in an audit record

  • audit_mount (Boolean) (defaults to: true)

    Whether to audit mount operations

  • audit_mount_tag (String[1]) (defaults to: 'privileged-mount')

    The tag to identify mount operations in an audit record

  • audit_local_account (Boolean) (defaults to: true)

    Whether to audit local account changes

  • audit_local_account_tag (String[1]) (defaults to: 'identity')

    The tag to identify local account changes in an audit record

  • audit_selinux_cmds (Boolean) (defaults to: true)

    Whether to audit ‘chcon`, `semanage`, `setsebool`, and `setfiles` commands

  • audit_selinux_cmds_tag (String[1]) (defaults to: 'privileged-priv_change')

    The tag to identify selinux command execution in an audit record

  • audit_login_files (Boolean) (defaults to: true)

    Whether to audit changes to login files

  • audit_login_files_tag (String[1]) (defaults to: 'logins')

    The tag to identify login file changes in an audit record

  • audit_cfg_sudoers (Boolean) (defaults to: true)

    Whether to audit changes to sudoers configuration files

  • audit_cfg_sudoers_tag (String[1]) (defaults to: 'privileged-actions')

    The tag to identify sudoers configuration file changes in an audit record

  • audit_passwd_cmds (Boolean) (defaults to: true)

    Whether to audit the execution of password commands, i.e., ‘passwd`, `unix_chkpwd`, `gpasswd`, `chage`, `userhelper`

  • audit_passwd_cmds_tag (String[1]) (defaults to: 'privileged-passwd')

    The tag to identify password command execution in an audit record

  • audit_priv_cmds (Boolean) (defaults to: true)

    Whether to audit the execution of privilege-related commands, i.e., ‘su`, `sudo`, `newgrp`, `chsh`, and `sudoedit`

  • audit_priv_cmds_tag (String[1]) (defaults to: 'privileged-priv_change')

    The tag to identify privilege-related command execution in an audit record

  • audit_postfix_cmds (Boolean) (defaults to: true)

    Whether to audit the execution of postfix-related commands, i.e. ‘postdrop` and `postqueue`

  • audit_postfix_cmds_tag (String[1]) (defaults to: 'privileged-postfix')

    The tag to identify postfix-related command execution in an audit record

  • audit_ssh_keysign_cmd (Boolean) (defaults to: true)

    Whether to audit the execution of the ‘ssh-keysign` command

  • audit_ssh_keysign_cmd_tag (String[1]) (defaults to: 'privileged-ssh')

    The tag to identify ‘ssh-keysign` command execution in an audit record

  • audit_crontab_cmd (Boolean) (defaults to: true)

    Whether to audit the execution of the ‘crontab` command

  • audit_crontab_cmd_tag (String[1]) (defaults to: 'privileged-cron')

    The tag to identify ‘crontab` command execution in an audit record

  • audit_pam_timestamp_check_cmd (Boolean) (defaults to: true)

    Whether to audit the execution of the ‘pam_timestamp_check` command

  • audit_pam_timestamp_check_cmd_tag (String[1]) (defaults to: 'privileged-pam')

    The tag to identify ‘pam_timestamp_check` command execution in an audit record



163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
 
# File 'manifests/config/audit_profiles/stig.pp', line 163

class auditd::config::audit_profiles::stig (
  Integer[0]       $uid_min                                = $::auditd::uid_min,
  Boolean          $audit_unsuccessful_file_operations     = true,
  String[1]        $audit_unsuccessful_file_operations_tag = 'access',
  Boolean          $audit_chown                            = true,
  String[1]        $audit_chown_tag                        = 'perm_mod',
  Boolean          $audit_chmod                            = true,
  String[1]        $audit_chmod_tag                        = 'perm_mod',
  Boolean          $audit_attr                             = true,
  String[1]        $audit_attr_tag                         = 'perm_mod',
  Boolean          $audit_rename_remove                    = true,
  String[1]        $audit_rename_remove_tag                = 'delete',
  Boolean          $audit_suid_sgid                        = true,
  Array[String[1]] $default_suid_sgid_cmds,                   #data in modules
  Array[String[1]] $suid_sgid_cmds                         = [],
  String[1]        $audit_suid_tag                         = 'setuid',
  String[1]        $audit_sgid_tag                         = 'setgid',
  String[1]        $audit_suid_sgid_tag                    = "${audit_suid_tag}/${audit_sgid_tag}",
  Boolean          $audit_kernel_modules                   = true,
  String[1]        $audit_kernel_modules_tag               = 'module-change',
  Boolean          $audit_mount                            = true,
  String[1]        $audit_mount_tag                        = 'privileged-mount',
  Boolean          $audit_local_account                    = true,
  String[1]        $audit_local_account_tag                = 'identity',
  Boolean          $audit_selinux_cmds                     = true,
  String[1]        $audit_selinux_cmds_tag                 = 'privileged-priv_change',
  Boolean          $audit_login_files                      = true,
  String[1]        $audit_login_files_tag                  = 'logins',
  Boolean          $audit_cfg_sudoers                      = true,
  String[1]        $audit_cfg_sudoers_tag                  = 'privileged-actions',
  Boolean          $audit_passwd_cmds                      = true,
  String[1]        $audit_passwd_cmds_tag                  = 'privileged-passwd',
  Boolean          $audit_priv_cmds                        = true,
  String[1]        $audit_priv_cmds_tag                    = 'privileged-priv_change',
  Boolean          $audit_postfix_cmds                     = true,
  String[1]        $audit_postfix_cmds_tag                 = 'privileged-postfix',
  Boolean          $audit_ssh_keysign_cmd                  = true,
  String[1]        $audit_ssh_keysign_cmd_tag              = 'privileged-ssh',
  Boolean          $audit_crontab_cmd                      = true,
  String[1]        $audit_crontab_cmd_tag                  = 'privileged-cron',
  Boolean          $audit_pam_timestamp_check_cmd          = true,
  String[1]        $audit_pam_timestamp_check_cmd_tag      = 'privileged-pam',
) {

  assert_private()
  $_suid_sgid_cmds = unique($default_suid_sgid_cmds + $suid_sgid_cmds)

  $_short_name = 'stig'
  $_idx = auditd::get_array_index($_short_name, $auditd::config::profiles)

  file { "/etc/audit/rules.d/50_${_idx}_${_short_name}_base.rules":
    mode    => $auditd::config::config_file_mode,
    content => epp("${module_name}/rule_profiles/stig/base.epp")
  }
}