Puppet Class: cis_security_hardening::rules::auditd_rmdir

Defined in:
manifests/rules/auditd_rmdir.pp

Summary

Ensure audit of the rmdir syscall

Overview

The operating system must audit all uses of the rmdir syscall.

Rationale: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Examples:

class { 'cis_security_hardening::rules::auditd_rmdir':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'manifests/rules/auditd_rmdir.pp', line 19

class cis_security_hardening::rules::auditd_rmdir (
  Boolean $enforce = false,
) {
  if $enforce {
    $uid = fact('cis_security_hardening.auditd.uid_min') ? {
      undef => '1000',
      default => fact('cis_security_hardening.auditd.uid_min'),
    }
    concat::fragment { 'watch rmdir rule 1':
      order   => '210',
      target  => $cis_security_hardening::rules::auditd_init::rules_file,
      content => "-a always,exit -F arch=b32 -S rmdir -F auid>=${uid} -F auid!=4294967295 -k delete",
    }
    if  $facts['os']['architecture'] == 'x86_64' or $facts['os']['architecture'] == 'amd64' {
      concat::fragment { 'watch rmdir rule 2':
        order   => '211',
        target  => $cis_security_hardening::rules::auditd_init::rules_file,
        content => "-a always,exit -F arch=b64 -S rmdir -F auid>=${uid} -F auid!=4294967295 -k delete",
      }
    }
  }
}