Puppet Class: cis_security_hardening::rules::auditd_scope

Defined in:
manifests/rules/auditd_scope.pp

Summary

Ensure changes to system administration scope (sudoers) is collected

Overview

Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier “scope.”

Rationale: Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.

Examples:

class { 'cis_security_hardening::rules::auditd_scope':
          enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Sets rule enforcement. If set to true, code will be exeuted to bring the system into a comliant state.



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
# File 'manifests/rules/auditd_scope.pp', line 23

class cis_security_hardening::rules::auditd_scope (
  Boolean $enforce                 = false,
) {
  if $enforce {
    concat::fragment { 'watch scope rule 1':
      order   => '101',
      target  => $cis_security_hardening::rules::auditd_init::rules_file,
      content => '-w /etc/sudoers -p wa -k scope',
    }
    concat::fragment { 'watch scope rule 2':
      order   => '102',
      target  => $cis_security_hardening::rules::auditd_init::rules_file,
      content => '-w /etc/sudoers.d/ -p wa -k scope',
    }
  }
}