auditd

A SIMP puppet module for managing auditd and audispd

Project URL RSS Feed Report issues

Module Stats

60,289 downloads

953 latest version

4.2 quality score

Version information

released Jul 16th 2024

This version is compatible with:

Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
Puppet >= 7.0.0 < 9.0.0
, , , , ,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'simp-auditd', '8.14.3'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-auditd

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-auditd --version 8.14.3

Tags: auditd, simp, audispd

Documentation

simp/auditd — version 8.14.3 Jul 16th 2024

Overview
This is a SIMP module
Module Description
Setup
- Setup Requirements
- What Auditd Affects
Usage
Development
- Acceptance tests

Overview

This module manages the Audit daemon, kernel parameters, and related subsystems.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.

Module Description

You can use this module for the management of all components of auditd including configuration, service management, kernel parameters, and custom rule sets.

By default, a rule set is provided that should meet a reasonable set of operational goals for most environments.

The audit kernel parameter may optionally be managed independently of the rest of the module using the ::auditd::config::grub class.

Setup

Setup Requirements

If auditd::syslog is true, you will need to install simp/rsyslog as a dependency.

What Auditd Affects

The audit kernel parameter
- NOTE: This will be applied to all kernels in your standard grub configuration
The auditd service
The audid configuration in /etc/auditd.conf
The auditd rules in /etc/audit/rules.d
The audispd configuration in /etc/audisp/audispd.conf
The audispd syslog configuration if manage_syslog_plugin is enabled. audit version 2 : /etc/audisp/plugins.d/syslog.conf audit version 3 : /etc/auditd/plugins.d/syslog.conf

Usage

Basic Usage

# Set up auditd with the default settings and SIMP default ruleset
# A message will be printed indicating that you need to reboot for this option
# to take full effect at each Puppet run until you reboot your system.

include 'auditd'

Disabling Auditd

To disable auditd at boot, set the following in hieradata:

auditd::at_boot: false

Enable/Disable sending audit event to syslog:

This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.

The setting auditd::syslog, defaults to false or syslog_options::syslog if you include simp_options. If you set auditd::syslog: false, it will not necessarily disable auditd logging to syslog, puppet will just no longer manage the syslog.conf plugin file.

The settings needed for enabling/disabling sending audit log messages to syslog are shown below.

To enable:

auditd::syslog: true
auditd::config::audisp::syslog::enable: true
auditd::config::audisp::syslog::drop_audit_logs: false
# The setting for drop_audit_logs enabled for backwards compatability
# but should be set to false if you want auditd to log to syslog.

To disable:

auditd::syslog: true
auditd::config::audisp::syslog::enable: false

Changing Key Values

To override the default values included in the module, you can either include new values for the keys at the time that the classes are declared, or set the values in hieradata:


class { 'auditd':
  ignore_failures => true,
  log_group       => 'root',
  flush           => 'INCREMENTAL'
}

auditd::ignore_failures: true
auditd::log_group: 'root'
auditd::flush: 'INCREMENTAL'

Understanding Auditd Profiles

This module supports various configurations both independently and simultaneously to meet varying end user requirements.

NOTE: The default behavior of this module is to ignore any invalid rules and apply as much of the rule set as possible. This is done so that you end up with an effective level of auditing regardless of a simply typo or conflicting rule. Please test your final rule sets to ensure that your system is auditing as expected.

The auditd::default_audit_profiles parameter determines which profiles are included, and in what order the rules are added to the system.

The auditd::default_audit_profiles has a default setting of [ 'simp' ] which applies the optimized SIMP auditing profile which is suitable for meeting most generally available compliance requirements. It does not, however, generally appease the scanning utilities since it optimizes the rules for performance and most scanners cannot handle audit rule optimizations.

There are three other profiles available in the system by default:

stig => Applies the rules as defined in the latest covered DISA STIG
custom => Allows users to define their own rules easily via Hiera
built_in => Allows usage of EL8+ included sample rulesets to configure system

There are a large number of parameters exposed for each profile that are meant to be set via Hiera and you should take a look at the REFERENCE.md file to understand the full capabilities of each profile.

Stacking Profiles

In some cases, you may want to combine profiles in different orders. This may either be done in order to pass a particular scanning engine or to ensure that items that are not caught by the first profile are caught by the second.

Profiles are included and ordered by passing an Array to the auditd::default_audit_profiles parameter and are added to auditd in the order in which they are defined in the Array.

For example, this (the default) would only add the simp profile:

auditd::default_audit_profiles:
  - 'simp'

Likewise, this would add the stig rules prior to the simp profile:

auditd::default_audit_profiles:
  - 'stig'
  - 'simp'

The Custom Profile

Users may wish to either completely override the default profiles or prepend/append their own rules to the stack for compliance purposes.

You can easily do this via Hiera as shown in the following example:

auditd::config::audit_profiles::custom::rules:
  - '-w /etc/passwd -wa -k passwd_files'
  - '-w /etc/shadow -wa -k passwd_files'

To activate the custom profile, you will need to set the auditd::default_audit_profiles parameter as shown in the following examples:

Override All Other Profiles

auditd::default_audit_profiles:
  - 'custom'

Prepend Before the SIMP Profile

auditd::default_audit_profiles:
  - 'custom'
  - 'simp'

Append After the SIMP and STIG Profiles

auditd::default_audit_profiles:
  - 'simp'
  - 'stig'
  - 'custom'

The Built-in Profile

Starting with release 3.0.0-17 on EL8 hosts, the audit package includes a number of sample-rules under /usr/share/audit/sample-rules that can be used to configure a system fairly completely. Within these rules are sets for STIG, OSPP, etc. that can simply be moved to /etc/audit/rules.d and compiled with augenrules to configure a system.

Disabling All SIMP-provided Profiles

Most likely, if using the sample rulesets from the built-in profile, you will want to disable included SIMP profiles (not necessary, but may include overlapping rules if not). To do this:

auditd::default_audit_profiles:
  - 'built_in'

Enabling Sample Rulesets with Built-in Profile

To enable specific sample rulesets, simply include them in the built-in profile parameter:

auditd::config::audit_profiles::built_in::rulesets:
  - 'base-config'
  - 'stig'
  - 'finalize'

where the ruleset names are found via the custom fact auditd_sample_rulesets

Configuring Complete Rulesets with Built-in Profile

If you are only planning to use the built_in profile and the included sample rulesets to configure the system, it will be worth noting that profile-specific sample files include configuration information within comments in the files as well.

As an example, the STIG rules sample file will note that it relies on base-config and finalize rulesets to be feature-complete. Other rulesets will contain similar information.

Adding One-Off Rules

Rules are alphanumerically ordered based on file-system globbing. It is recommended that users use the auditd::rule defined type for adding rules.

Other options are available with auditd::rule but these are the most commonly used.

Adding Regular Filter Rules


auditd::rule { 'failed_file_creation':
  content => '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k failed_file_creation'
}


auditd::rule { 'passwd_file_watches':
  content => [
    '-w /etc/passwd -wa -k passwd_files',
    '-w /etc/shadow -wa -k passwd_files'
  ]
}

Prepend and Drop Everything From a User

This will make your rule land in the 00 set of rules.


auditd::rule { 'pre_drop_user_5000':
  content => '-a exit,never -F auid=5000',
  prepend => true
}

Development

Please read our Contribution Guide

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes

BEAKER_debug: show the commands being run on the STU and their output.
BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
BEAKER_fips=yes: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.

Please refer to the SIMP Beaker Helpers documentation for more information.

Reference

Classes

auditd: Configure the audit daemon for use with a specified audit profile.
auditd::config: This class is called from auditd for service config.
auditd::config::audisp: Configures the audit dispatcher primarily for sending audit logs directly to syslog without intervention.
auditd::config::audisp::syslog: Utilizes rsyslog to send all audit records to syslog.
auditd::config::audisp_service: Notify auditd to restart to ensure the process for audisp is running.
auditd::config::audit_profiles: Provides global audit rule configuration and a base set of audit rules based on the built-in audit profile(s).
auditd::config::audit_profiles::built_in: An audit profile that allows the use of sample rulesets included with the audit package to be used to configure a system.
auditd::config::audit_profiles::custom: A set of user specified rules in a form that is easy to manipulate via Hiera
auditd::config::audit_profiles::simp: A set of general purpose audit rules that should meet most security policy requirements
auditd::config::audit_profiles::stig: A set of audit rules that are configured to satisfy DISA STIG compliance checks for EL7.
auditd::config::grub: Enables/disables auditing at boot time.
auditd::config::logging: Ensures that plugin for syslog is installed so audit events can be sent to syslog in addition the audit partition.
auditd::install: Install the auditd packages
auditd::service: Ensure that the auditd service is running

Defined types

auditd::rule: Add rules to the audit daemon.

Functions

auditd::calculate_space_left: Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.
auditd::get_array_index: Returns a string that represents the first index of the specified element within the Array.
auditd::validate_init_params: Validates selected params from the main auditd class.

Data types

Auditd::AuditProfile: Matches the types of auditd profiles allowed
Auditd::DiskErrorAction: Matches disk error actions in auditd.conf
Auditd::DiskFullAction: Matches actions to take when disk is full (see auditd.conf)
Auditd::Flush: Matches actions flush in auditd.conf
Auditd::LogFacility: Matches log facility that can be used in syslog.conf plugin
Auditd::LogFormat: Matches log formats that can be used in auditd.conf
Auditd::LogPriority: Matches log priorities that can be used in syslog.conf plugin
Auditd::MaxLogFileAction: Matches available matches for maxlogfileaction in auditd.conf
Auditd::NameFormat: Matche s available name formats in audotd.conf
Auditd::OverflowAction: Matches overflow_action settings in auditd.conf or audisp.conf
Auditd::RootAuditLevel: Matches root audit level settings in auditd.conf
Auditd::SpaceLeftAction: Matches spaceleftaction for auditd.conf

Classes

`auditd`

Any variable that is not described here can be found in auditd.conf(5) and auditctl(8).

See also
- auditd.conf(5)
- auditctl(8)

Parameters

The following parameters are available in the auditd class:

enable
default_audit_profile
default_audit_profiles
audit_auditd_config
lname
ignore_anonymous
ignore_crond
ignore_time_daemons
ignore_crypto_key_user
ignore_errors
ignore_failures
ignore_system_services
action_mail_acct
admin_space_left
admin_space_left_action
at_boot
buffer_size
backlog_wait_time
disk_error_action
disk_full_action
disp_qos
dispatcher
failure_mode
flush
freq
immutable
log_file
local_events
log_format
log_group
loginuid_immutable
max_log_file
max_log_file_action
max_restarts
name_format
num_logs
overflow_action
package_name
package_ensure
plugin_dir
priority_boost
q_depth
rate
root_audit_level
service_name
space_left
space_left_action
syslog
target_selinux_types
uid_min
verify_email
write_logs
purge_auditd_rules

`enable`

Data type: Boolean

If true, enable auditing.

Default value: true

`default_audit_profile`

Data type: Optional[Variant[Enum['simp'],Boolean]]

Deprecated by $default_audit_profiles

Default value: undef

`default_audit_profiles`

Data type: Array[Auditd::AuditProfile]

The built-in audit profile(s) to use to provide global audit rule configuration (error handling, buffer size, etc.) and a base set of audit rules.

When more than one profile is specified, the profile rules are effectively concatenated in the order the profiles are listed.
To add rules to the base set, use auditd::rule.
To manage the audit rules, yourself, set this parameter to [].
@see auditd::config::audit_profiles for more details about this configuration.

Default value: [ 'simp' ]

`audit_auditd_config`

Data type: Boolean

Set up an audit rule to audit the auditd configuration files.

Default value: true

`lname`

Data type: String

An alias for the name variable in the configuration file. This is used since $name is a reserved keyword in Puppet.

Default value: $facts['networking']['fqdn']

`ignore_anonymous`

Data type: Boolean

For built-in audit profiles, whether to drop anonymous and daemon events, i.e., events for which auid is '-1' (aka 'unset'). Audit records from these events are prolific but not useful.

Default value: true

`ignore_crond`

Data type: Boolean

For built-in audit profiles, whether to drop events related to cron jobs. cron creates a lot of audit events that are not usually useful.

Default value: true

`ignore_time_daemons`

Data type: Boolean

Ignore time modifications by time daemons that are running on the system since this is valid activity.

Default value: true

`ignore_crypto_key_user`

Data type: Boolean

Ignore CRYPTO_KEY_USER logs since these are generally noise.

Default value: true

`ignore_errors`

Data type: Boolean

Whether to set the auditctl '-i' option

Default value: true

`ignore_failures`

Data type: Boolean

Whether to set the auditctl '-c' option

Default value: true

`ignore_system_services`

Data type: Boolean

For built-in audit profiles, whether to ignore system service events, i.e., events for which the auid is set but is less than the minimum UID for human users on the system. In most security guides, this filter is attached to every system call rule. So, by implementing the filter in an upfront drop rule, this feature provides optimization of that filtering.

Default value: true

`action_mail_acct`

Data type: String[1]

Default value: 'root'

`admin_space_left`

Data type: Variant[Integer[0],Pattern['^\d+%$']]

Default value: 50

`admin_space_left_action`

Data type: Auditd::SpaceLeftAction

Default value: 'rotate'

`at_boot`

Data type: Boolean

If true, modify the Grub settings to enable auditing at boot time.

Default value: true

`buffer_size`

Data type: Integer[0]

Value of the auditctl '-b' option

Default value: 16384

`backlog_wait_time`

Data type: Optional[Integer[1,600000]]

Default value: undef

`disk_error_action`

Data type: Auditd::DiskErrorAction

Default value: 'syslog'

`disk_full_action`

Data type: Auditd::DiskFullAction

Default value: 'rotate'

`disp_qos`

Data type: Enum['lossy','lossless']

auditd version 2 only

Default value: 'lossy'

`dispatcher`

Data type: Stdlib::Absolutepath

auditd version 2 only

Default value: '/sbin/audispd'

`failure_mode`

Data type: Integer[0]

Value of the auditctl '-f' option

Default value: 1

`flush`

Data type: Auditd::Flush

Default value: 'incremental'

`freq`

Data type: Integer[0]

Default value: 20

`immutable`

Data type: Boolean

Whether or not to make the configuration immutable when using built-in audit profiles. Be aware that, should you choose to make the configuration immutable, you will not be able to change your audit rules without a reboot.

Default value: false

`log_file`

Data type: Stdlib::Absolutepath

Default value: '/var/log/audit/audit.log'

`local_events`

Data type: Optional[Boolean]

auditd version 3 only

Default value: undef

`log_format`

Data type: Auditd::LogFormat

The output log format

'NOLOG' is deprecated as of auditd 2.5.2
'ENRICHED' is only available in auditd >= 2.6.0

Default value: 'raw'

`log_group`

Data type: String

Default value: 'root'

`loginuid_immutable`

Data type: Boolean

Sets the --loginuid-immutable option

This has been noted to potentially cause issues with some types of containers but a concrete explanation of what types has not yet been found.

Default value: true

`max_log_file`

Data type: Integer[0]

Default value: 24

`max_log_file_action`

Data type: Auditd::MaxLogFileAction

Default value: 'rotate'

`max_restarts`

Data type: Optional[Integer[1]]

sets the number of times a plugin will be restart.

Default value: undef

`name_format`

Data type: Auditd::NameFormat

Default value: 'user'

`num_logs`

Data type: Integer[0]

Default value: 5

`overflow_action`

Data type: Optional[Auditd::Overflowaction]

sets the overflow action.

Default value: undef

`package_name`

Data type: String[1]

The name of the auditd package.

Default value: 'audit'

`package_ensure`

Data type: Simplib::PackageEnsure

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

`plugin_dir`

Data type: Stdlib::Absolutepath

sets the directory for the plugin configuration files.

`priority_boost`

Data type: Integer[0]

Default value: 3

`q_depth`

Data type: Integer[0]

how big to make the internal queue of the audit event dispatcher

Default value: 400

`rate`

Data type: Integer[0]

Value of the auditctl '-r' option

Default value: 0

`root_audit_level`

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity in built-in audit profiles that provide su-root rules. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'. For the 'simp' audit profile, these options are as follows:

Basic: Safe syscall rules, should not follow program execution outside of the base app
Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: 'basic'

`service_name`

Data type: String[1]

The name of the auditd service.

Default value: 'auditd'

`space_left`

Data type: Variant[Integer[0],Pattern['^\d+%$']]

Must be larger than $admin_space_left.

If $admin_space_left is an Integer, will be set to 30 + $admin_space_left
If $admin_space_left is a percentage (auditd >= 2.8.5), will be set to 1% + $admin_space_left

Default value: auditd::calculate_space_left($admin_space_left)

`space_left_action`

Data type: Auditd::SpaceLeftAction

Default value: 'syslog'

`syslog`

Data type: Boolean

If true, manage the settings for the syslog plugin It was left defaulted to simp_options::syslog value for backwards compatability. This does not activate/deactivate the plugin. That setting is in the auditd::config::audisp::syslog::enable setting. If syslog is set to true, by default it will enable the syslog plugin in order to be backwards compatable. If you want to ensure the plugin is disabled, set auditd::config::audisp::syslog::enable to false. If this is set to false the plugin settings are not managed by puppet.

Default value: simplib::lookup('simp_options::syslog', {'default_value' => false })

`target_selinux_types`

Data type: Optional[Array[Pattern['^.*_t$']]]

A list of SELinux types to target, all others will be dropped

For systems that require all users and processes to be in a confined namespace, you may find that only auditing unconfined types will be sufficient since all other invalid system actions are already audited.

Default value: undef

`uid_min`

Data type: Integer[0]

The minimum UID for human users on the system. For built-in audit profiles when $ignore_system_services is true, any audit events generated by users below this number will be ignored, unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: Integer(pick(fact('uid_min'), 1000))

`verify_email`

Data type: Optional[Boolean]

auditd version 3 only

Default value: undef

`write_logs`

Data type: Boolean

Whether or not to write logs to disk.

The NOLOG option on log_format has been deprecated in newer versions of auditd so this attempts to do "the right thing" when log_format is set to NOLOG for legacy support.

Default value: $log_format ? { /^(?i:nolog)$/ => false, default => true

`purge_auditd_rules`

Data type: Boolean

Whether or not to purge existing auditd rules under /etc/audit/rules.d

Default value: true

`auditd::config`

NOTE: THIS IS A PRIVATE CLASS**

`auditd::config::audisp`

The following parameters are documented in audispd.conf(5).

These settings are deprecated and will be removed in the next major release of auditd and are here for backwards compatability.

In auditd version 3 these settings were moved to auditd.conf and audisp.conf was deprecated. For this reason they are set in the init.pp module with the other auditd.conf values also. If you are trying to set these values for auditd version 3 then you must set them there. These settings are aliased in hiera to auditd settings so you can move your settings for these parameters to auditd::* now to ensure compatability with future major releases but settings in hiera that are already exist will still work. The following setting maps to the name variable in audisp.conf.

Parameters

The following parameters are available in the auditd::config::audisp class:

q_depth
overflow_action
priority_boost
max_restarts
name_format
specific_name

`q_depth`

Data type: Integer

(deprecated)

`overflow_action`

Data type: Auditd::OverflowAction

(deprecated)

`priority_boost`

Data type: Integer

(deprecated)

`max_restarts`

Data type: Integer

(deprecated)

`name_format`

Data type: Auditd::NameFormat

(deprecated)

`specific_name`

Data type: String

Default value: $facts['networking']['fqdn']

`auditd::config::audisp::syslog`

This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or (inadvertently) persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.

If you are using simp_rsyslog, it, by default, sets up a rsyslog rule to drop the audispd messages from being written locally to prevent duplication of logging audit events on the local system. See simp_rsyslog::local for more information.

It is also recommend you ensure any forwarded, audit messages are encrypted using the stunnel module, due to the nature of the information carried by these messages.

Parameters

The following parameters are available in the auditd::config::audisp::syslog class:

rsyslog
drop_audit_logs
enable
priority
facility
syslog_path
type
pkg_name
package_ensure

`rsyslog`

Data type: Boolean

(deprecated) If set, enable the SIMP rsyslog module and set up the appropriate rules for the auditd services.

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

`drop_audit_logs`

Data type: Boolean

(deprecated) When set to false, auditd records will be forwarded to remote servers and/or written to local syslog files, as directed by the site rsyslog configuration. This setting is not needed any more. If you want to disable/enable sending audit records to syslog, set the 'enable' parameter in this module to false/true as appropriate. It is left here for backwards compatability but will not be in the next major release.

Default value: true

`enable`

Data type: Boolean

Enable or disable sending audit mesages to syslog.

Default value: true

`priority`

Data type: Auditd::LogPriority

The syslog priority for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file.

Default value: 'LOG_INFO'

`facility`

Data type: Auditd::LogFacility

The syslog facility for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file. For the older auditd versions used by CentOS6 and CentOS7, must be an empty string, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, or LOG_LOCAL7. An empty string results in LOG_USER and is the ONLY mechanism to specify that facility. No other facilities are allowed.

Default value: 'LOG_LOCAL5'

`syslog_path`

Data type: String

The path to the syslog plugin executable.

`type`

Data type: String

The type of auditd plugin.

`pkg_name`

Data type: Optional[String]

The name of the plugin package to install. Only needed for auditd version 3 and later.

Default value: undef

`package_ensure`

Data type: String

The default ensure parmeter for packages.

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

`auditd::config::audisp_service`

NOTE: THIS IS A PRIVATE CLASS**

Should only be called from audisp processing services.

`auditd::config::audit_profiles`

NOTE: THIS IS A PRIVATE CLASS**

The configuration generated is contained in a set of files in /etc/audit/rules.d, which augenrules parses for auditd in natural sort order, to create a single /etc/audit/auditd.rules file. The generated files are as follows:

00_head.rules: Contains auditctl general configuration to remove existing rules when the rules are reloaded, ignore rule load errors/failures, and set the buffer size, failure mode, and rate limiting
05_default_drop.rules: Contains filtering rules for efficiency
- Rules to drop prolific events of low-utility
- Rules to restrict events based on auid constraints that would normally be applied to all rules
50_*base.rules:
- Nominal base rules for one or more built-in profiles.
- One file will exist for each desired, built-in profile
- Files are named so that the ordering of profiles listed in $auditd::default_audit_profiles is preserved
- The corresponding class for each profile is auditd::config::audit_profiles::<profile name>
60_custom.rules: Custom rules as defined by the auditd::custom_rules parameter if appending
75.init.d_auditd.rules:
- A watch rule for /etc/rc.d/init.d/auditd permissions changes
- A watch rule for permissions changes to the auditd log file
75.rotated_audit_logs.rules
- Watch rules for permissions changes to the rotated auditd log files
99_tail.rules
- auditctl immutable option, when $auditd::immutable is 'true'

`auditd::config::audit_profiles::built_in`

An audit profile that allows the use of sample rulesets included with the audit package to be used to configure a system.

Parameters

The following parameters are available in the auditd::config::audit_profiles::built_in class:

rulesets

`rulesets`

Data type: Array[String[1]]

The list of system sample rulesets to be included on the system. This list can be found in the auditd_sample_rulesets fact.

Default value: []

`auditd::config::audit_profiles::custom`

NO SANITY CHECKING IS PERFORMED ON THE RESULTING RULES

Examples

Passing an Array of Rules


---
auditd::config::audit_profiles::custom::rules:
  - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k unsuccessful_file_operations"
  - "-w /etc/passwd -p wa -k passwd_changes"

Passing an EPP Template


---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.epp"

Passing an ERB Template


---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.erb"

Parameters

The following parameters are available in the auditd::config::audit_profiles::custom class:

rules
template

`rules`

Data type: Optional[Array[String[1]]]

An Array of rules that will be joined with a \n and inserted as the complete audit rule set to be applied to the system.

Default value: undef

`template`

Data type: Optional[String[1]]

A template specification as you would pass to either the epp or erb function

Specifying both rules and template will result in an error

Default value: undef

`auditd::config::audit_profiles::simp`

The defaults for this profile generate a set of audit rules that are both usable on most systems and conformant with standard auditing requirements. A few key usage/implementation details about this profile should be noted:

This profile uses optimized audit rules. Specifically, it
- Combines system call rules as much as possible
- By default, uses initial drop rules for the auid filters that would be otherwise applied to all system call rules
- By default, uses an initial drop rule for cron events that are prolific, but whose audit records are of very limited utility
Although all security requirements allow optimization of audit rules, most of the automated security scanners do not yet understand audit rule optimizations. So, use of this profile may require explanation of these simple, yet effective, optimizations.
You may overload your system and/or log server, if you enable the highly-prolific, but limited-utility audit capabilities that have been intentionally disabled, here, despite being required by specific security standards. 'chmod' auditing for all non-service users is an example of such a capability.
In some cases, the more targeted set of rules for non-service users that have su'd to root may provide a viable subset of required auditing. This targeting filtering is enabled by $audit_su_root_activity and customized by $root_audit_level, $basic_root_audit_syscalls, $aggressive_root_audit_syscalls, and $insane_root_audit_syscalls`.

Parameters

The following parameters are available in the auditd::config::audit_profiles::simp class:

root_audit_level
audit_32bit_operations
audit_32bit_operations_tag
audit_auditd_cmds
audit_auditd_cmds_tag
audit_auditd_cmds_list
basic_root_audit_syscalls
aggressive_root_audit_syscalls
insane_root_audit_syscalls
audit_unsuccessful_file_operations
audit_unsuccessful_file_operations_tag
audit_chown
audit_chown_tag
audit_chmod
audit_chmod_tag
audit_attr
audit_attr_tag
audit_rename_remove
audit_rename_remove_tag
audit_su_root_activity
audit_su_root_activity_tag
audit_suid_sgid
audit_suid_sgid_tag
audit_kernel_modules
audit_kernel_modules_tag
audit_time
audit_time_tag
audit_locale
audit_locale_tag
audit_network_ipv4_accept
audit_network_ipv4_accept_tag
audit_network_ipv6_accept
audit_network_ipv6_accept_tag
audit_network_ipv4_connect
audit_network_ipv4_connect_tag
audit_network_ipv6_connect
audit_network_ipv6_connect_tag
audit_mount
audit_mount_tag
audit_umask
audit_umask_tag
audit_local_account
audit_local_account_tag
audit_selinux_policy
audit_selinux_policy_tag
audit_selinux_cmds
audit_selinux_cmds_tag
audit_login_files
audit_login_files_tag
audit_session_files
audit_session_files_tag
audit_sudoers
audit_sudoers_tag
audit_cfg_sudoers
audit_cfg_sudoers_tag
audit_grub
audit_grub_tag
audit_cfg_grub
audit_cfg_grub_tag
audit_cfg_sys
audit_cfg_sys_tag
audit_cfg_cron
audit_cfg_cron_tag
audit_cfg_shell
audit_cfg_shell_tag
audit_cfg_pam
audit_cfg_pam_tag
audit_cfg_security
audit_cfg_security_tag
audit_cfg_services
audit_cfg_services_tag
audit_cfg_xinetd
audit_cfg_xinetd_tag
audit_yum
audit_yum_tag
audit_cfg_yum
audit_cfg_yum_tag
audit_yum_cmd
audit_yum_cmd_tag
audit_rpm_cmd
audit_rpm_cmd_tag
audit_ptrace
audit_ptrace_tag
audit_personality
audit_personality_tag
audit_passwd_cmds
audit_passwd_cmds_tag
audit_priv_cmds
audit_priv_cmds_tag
audit_postfix_cmds
audit_postfix_cmds_tag
audit_ssh_keysign_cmd
audit_ssh_keysign_cmd_tag
audit_suspicious_apps
audit_suspicious_apps_tag
audit_suspicious_apps_list
audit_systemd
audit_systemd_tag
audit_crontab_cmd
audit_crontab_cmd_tag
audit_pam_timestamp_check_cmd
audit_pam_timestamp_check_cmd_tag

`root_audit_level`

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'

Basic: Safe syscall rules, should not follow program execution outside of the base app
Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: $::auditd::root_audit_level

`audit_32bit_operations`

Data type: Boolean

In general, any 32bit system calls on a 64bit systems should be seen as suspicious.

Default value: $facts['os']['hardware'] ? { 'x86_64' => true, default => false

`audit_32bit_operations_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_32bit_operations

Default value: '32bit-api'

`audit_auditd_cmds`

Data type: Boolean

Audit calls to the auditd management CLI commands

Default value: true

`audit_auditd_cmds_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_auditd_cmds

Default value: 'access-audit-trail'

`audit_auditd_cmds_list`

Data type: Array[String[1]]

Commands to be audited if enabled by audit_auditd_cmds

`basic_root_audit_syscalls`

Data type: Array[String[1]]

Basic syscalls to audit for su-root activity

`aggressive_root_audit_syscalls`

Data type: Array[String[1]]

Aggressive syscalls to audit for su-root activity

`insane_root_audit_syscalls`

Data type: Array[String[1]]

Insane syscalls to audit for su-root activity

`audit_unsuccessful_file_operations`

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

`audit_unsuccessful_file_operations_tag`

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

`audit_chown`

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

`audit_chown_tag`

Data type: String[1]

The tag to identify chown operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chown'

`audit_chmod`

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: false

`audit_chmod_tag`

Data type: String[1]

The tag to identify chmod operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chmod'

`audit_attr`

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

`audit_attr_tag`

Data type: String[1]

The tag to identify xattr operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'attr'

`audit_rename_remove`

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: false

`audit_rename_remove_tag`

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

`audit_su_root_activity`

Data type: Boolean

Whether to audit other useful actions someone does when su'ing to root. The list of system calls audited is controlled by $root_audit_level.

Default value: true

`audit_su_root_activity_tag`

Data type: String[1]

The tag to identify su operations in an audit record

Default value: 'su-root-activity'

`audit_suid_sgid`

Data type: Boolean

Whether to audit setuid/setgid commands. setuid/setgid command execution is audited by a single system call rule.

Default value: true

`audit_suid_sgid_tag`

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record. You should change this to 'setuid/setgid' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'suid-exec'

`audit_kernel_modules`

Data type: Boolean

Whether to audit kernel module operations

Default value: true

`audit_kernel_modules_tag`

Data type: String[1]

The tag to identify kernel module operations in an audit record. You should change this to 'module-change' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'modules'

`audit_time`

Data type: Boolean

Whether to audit operations that affect system time

Default value: true

`audit_time_tag`

Data type: String[1]

The tag to identify system time operations in an audit record

Default value: 'audit_time_rules'

`audit_locale`

Data type: Boolean

Whether to audit operations that affect system locale

Default value: true

`audit_locale_tag`

Data type: String[1]

The tag to identify system locale operations in an audit record

Default value: 'audit_network_modifications'

`audit_network_ipv4_accept`

Data type: Boolean

Audit incoming IPv4 connections

Default value: true

`audit_network_ipv4_accept_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv4_accept

Default value: 'ipv4_in'

`audit_network_ipv6_accept`

Data type: Boolean

Audit incoming IPv6 connections

Default value: true

`audit_network_ipv6_accept_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv6_accept

Default value: 'ipv6_in'

`audit_network_ipv4_connect`

Data type: Boolean

Audit outgoing IPv4 connections

Default value: false

`audit_network_ipv4_connect_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv4_connect

Default value: 'ipv4_in'

`audit_network_ipv6_connect`

Data type: Boolean

Audit outgoing IPv6 connections

Default value: false

`audit_network_ipv6_connect_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv6_connect

Default value: 'ipv6_in'

`audit_mount`

Data type: Boolean

Whether to audit mount operations

Default value: true

`audit_mount_tag`

Data type: String[1]

The tag to identify mount operations in an audit record. You should change this to 'privileged-mount' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'mount'

`audit_umask`

Data type: Boolean

Whether to audit umask changes

Default value: false

`audit_umask_tag`

Data type: String[1]

The tag to identify umask changes in an audit record

Default value: 'umask'

`audit_local_account`

Data type: Boolean

Whether to audit local account changes

Default value: true

`audit_local_account_tag`

Data type: String[1]

The tag to identify local account changes in an audit record. You should change this to 'identity' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'audit_account_changes'

`audit_selinux_policy`

Data type: Boolean

Whether to audit selinux policy changes

Default value: true

`audit_selinux_policy_tag`

Data type: String[1]

The tag to identify selinux policy changes in an audit record

Default value: 'MAC-policy'

`audit_selinux_cmds`

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: false

`audit_selinux_cmds_tag`

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

`audit_login_files`

Data type: Boolean

Whether to audit changes to login files

Default value: true

`audit_login_files_tag`

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

`audit_session_files`

Data type: Boolean

Whether to audit changes to session files

Default value: true

`audit_session_files_tag`

Data type: String[1]

The tag to identify session file changes in an audit record

Default value: 'session'

`audit_sudoers`

Data type: Optional[Boolean]

Deprecated by $audit_cfg_sudoers

Default value: undef

`audit_sudoers_tag`

Data type: Optional[String[1]]

Deprecated by $audit_cfg_sudoers_tag

Default value: undef

`audit_cfg_sudoers`

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

`audit_cfg_sudoers_tag`

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record. You should change this to 'privileged-actions' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'CFG_sys'

`audit_grub`

Data type: Optional[Boolean]

Deprecated by $audit_cfg_grub

Default value: undef

`audit_grub_tag`

Data type: Optional[String[1]]

Deprecated by $audit_cfg_grub_tag

Default value: undef

`audit_cfg_grub`

Data type: Boolean

Whether to audit changes to grub configuration files

Default value: true

`audit_cfg_grub_tag`

Data type: String[1]

The tag to identify grub configuration file changes in an audit record

Default value: 'CFG_grub'

`audit_cfg_sys`

Data type: Boolean

Whether to audit changes to key system configuration files not otherwise audited

Default value: true

`audit_cfg_sys_tag`

Data type: String[1]

The tag to identify changes to key system configuration files not otherwise audited

Default value: 'CFG_sys'

`audit_cfg_cron`

Data type: Boolean

Whether to audit changes to cron configuration files

Default value: true

`audit_cfg_cron_tag`

Data type: String[1]

The tag to identify cron configuration file changes in an audit record

Default value: 'CFG_cron'

`audit_cfg_shell`

Data type: Boolean

Whether to audit changes to global shell configuration files

Default value: true

`audit_cfg_shell_tag`

Data type: String[1]

The tag to identify global shell configuration file changes in an audit record

Default value: 'CFG_shell'

`audit_cfg_pam`

Data type: Boolean

Whether to audit changes to PAM configuration files

Default value: true

`audit_cfg_pam_tag`

Data type: String[1]

The tag to identify PAM configuration file changes in an audit record

Default value: 'CFG_pam'

`audit_cfg_security`

Data type: Boolean

Whether to audit changes to /etc/security

Default value: true

`audit_cfg_security_tag`

Data type: String[1]

The tag to identify /etc/security file changes in an audit record

Default value: 'CFG_security'

`audit_cfg_services`

Data type: Boolean

Whether to audit changes to /etc/services

Default value: true

`audit_cfg_services_tag`

Data type: String[1]

The tag to identify /etc/services file changes in an audit record

Default value: 'CFG_services'

`audit_cfg_xinetd`

Data type: Boolean

Whether to audit changes to xinetd configuration files

Default value: true

`audit_cfg_xinetd_tag`

Data type: String[1]

The tag to identify xinetd configuration file changes in an audit record

Default value: 'CFG_xinetd'

`audit_yum`

Data type: Optional[Boolean]

Deprecated by $audit_cfg_yum

Default value: undef

`audit_yum_tag`

Data type: Optional[String[1]]

Deprecated by $audit_cfg_yum_tag

Default value: undef

`audit_cfg_yum`

Data type: Boolean

Whether to audit changes to yum configuration files

Default value: true

`audit_cfg_yum_tag`

Data type: String[1]

The tag to identify yum configuration file changes in an audit record

Default value: 'yum-config'

`audit_yum_cmd`

Data type: Boolean

Whether to audit yum command execution

Default value: false

`audit_yum_cmd_tag`

Data type: String[1]

The tag to identify yum command execution in an audit record

Default value: 'package_changes'

`audit_rpm_cmd`

Data type: Boolean

Whether to audit rpm command execution

Default value: false

`audit_rpm_cmd_tag`

Data type: String[1]

The tag to identify rpm command execution in an audit record

Default value: 'package_changes'

`audit_ptrace`

Data type: Boolean

Whether to audit ptrace system calls

Default value: true

`audit_ptrace_tag`

Data type: String[1]

The tag to identify ptrace system calls in an audit record

Default value: 'paranoid'

`audit_personality`

Data type: Boolean

Whether to audit personality system calls

Default value: true

`audit_personality_tag`

Data type: String[1]

The tag to identify personality system calls in an audit record

Default value: 'paranoid'

`audit_passwd_cmds`

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

`audit_passwd_cmds_tag`

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

`audit_priv_cmds`

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

`audit_priv_cmds_tag`

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

`audit_postfix_cmds`

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

`audit_postfix_cmds_tag`

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

`audit_ssh_keysign_cmd`

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

`audit_ssh_keysign_cmd_tag`

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

`audit_suspicious_apps`

Data type: Boolean

Audit various applications that generally represent suspicious host activity

Default value: true

`audit_suspicious_apps_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_suspicious_apps

Default value: 'suspicious_apps'

`audit_suspicious_apps_list`

Data type: Array[Stdlib::Absolutepath]

List of applications to be audited when audit_suspicious_apps is enabled

`audit_systemd`

Data type: Boolean

Audit systemd components

Only takes effect on systems with systemd present

Default value: true

`audit_systemd_tag`

Data type: String[1]

Tag to be added to entries triggered by audit_systemd

Default value: 'systemd'

`audit_crontab_cmd`

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

`audit_crontab_cmd_tag`

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

`audit_pam_timestamp_check_cmd`

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

`audit_pam_timestamp_check_cmd_tag`

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

`auditd::config::audit_profiles::stig`

The defaults for this profile generate a set of audit rules that conform to automated DISA STIG compliance checks for RHEL7. Satisfying the checks, instead of the intent of the security requirements, necessitates unoptimized rules. These unoptimized rules, in turn, negatively impact system performance.

WARNING: These rules may overload your system and/or log server!

When auditd performance is an issue, you may wish to

Disable capabilities that, despite being required by DISA STIG for RHEL7, produce large amounts audit records of limited utility. chmod auditing for all non-service users falls in this category.
Use the optimized 'auditd::config::audit_profiles::simp' profile, instead. That profile is more comprehensive and performant.

Parameters

The following parameters are available in the auditd::config::audit_profiles::stig class:

uid_min
audit_unsuccessful_file_operations
audit_unsuccessful_file_operations_tag
audit_chown
audit_chown_tag
audit_chmod
audit_chmod_tag
audit_attr
audit_attr_tag
audit_rename_remove
audit_rename_remove_tag
audit_suid_sgid
default_suid_sgid_cmds
suid_sgid_cmds
audit_suid_tag
audit_sgid_tag
audit_suid_sgid_tag
audit_kernel_modules
audit_kernel_modules_tag
audit_mount
audit_mount_tag
audit_local_account
audit_local_account_tag
audit_selinux_cmds
audit_selinux_cmds_tag
audit_login_files
audit_login_files_tag
audit_cfg_sudoers
audit_cfg_sudoers_tag
audit_passwd_cmds
audit_passwd_cmds_tag
audit_priv_cmds
audit_priv_cmds_tag
audit_postfix_cmds
audit_postfix_cmds_tag
audit_ssh_keysign_cmd
audit_ssh_keysign_cmd_tag
audit_crontab_cmd
audit_crontab_cmd_tag
audit_pam_timestamp_check_cmd
audit_pam_timestamp_check_cmd_tag

`uid_min`

Data type: Integer[0]

The minimum UID for human users on the system. Any audit events generated by users below this number will be ignored unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: $::auditd::uid_min

`audit_unsuccessful_file_operations`

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

`audit_unsuccessful_file_operations_tag`

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

`audit_chown`

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

`audit_chown_tag`

Data type: String[1]

The tag to identify chown operations in an audit record

Default value: 'perm_mod'

`audit_chmod`

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: true

`audit_chmod_tag`

Data type: String[1]

The tag to identify chmod operations in an audit record

Default value: 'perm_mod'

`audit_attr`

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

`audit_attr_tag`

Data type: String[1]

The tag to identify xattr operations in an audit record

Default value: 'perm_mod'

`audit_rename_remove`

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: true

`audit_rename_remove_tag`

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

`audit_suid_sgid`

Data type: Boolean

Whether to audit setuid/setgid commands

Default value: true

`default_suid_sgid_cmds`

Data type: Array[String[1]]

The default list of setuid/setgid commands to be audited.

Should not include commands audited by other rules.

`suid_sgid_cmds`

Data type: Array[String[1]]

Additional list of setuid/setgid commands to be audited. You can use this to augment the $default_suid_sgid_cmds per your site's needs.

Default value: []

`audit_suid_tag`

Data type: String[1]

The tag to identify setuid command execution in an audit record

Default value: 'setuid'

`audit_sgid_tag`

Data type: String[1]

The tag to identify setgid command execution in an audit record

Default value: 'setgid'

`audit_suid_sgid_tag`

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record

Default value: "${audit_suid_tag}/${audit_sgid_tag}"

`audit_kernel_modules`

Data type: Boolean

Whether to audit kernel module operations

Default value: true

`audit_kernel_modules_tag`

Data type: String[1]

The tag to identify kernel module operations in an audit record

Default value: 'module-change'

`audit_mount`

Data type: Boolean

Whether to audit mount operations

Default value: true

`audit_mount_tag`

Data type: String[1]

The tag to identify mount operations in an audit record

Default value: 'privileged-mount'

`audit_local_account`

Data type: Boolean

Whether to audit local account changes

Default value: true

`audit_local_account_tag`

Data type: String[1]

The tag to identify local account changes in an audit record

Default value: 'identity'

`audit_selinux_cmds`

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: true

`audit_selinux_cmds_tag`

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

`audit_login_files`

Data type: Boolean

Whether to audit changes to login files

Default value: true

`audit_login_files_tag`

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

`audit_cfg_sudoers`

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

`audit_cfg_sudoers_tag`

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record

Default value: 'privileged-actions'

`audit_passwd_cmds`

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

`audit_passwd_cmds_tag`

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

`audit_priv_cmds`

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

`audit_priv_cmds_tag`

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

`audit_postfix_cmds`

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

`audit_postfix_cmds_tag`

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

`audit_ssh_keysign_cmd`

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

`audit_ssh_keysign_cmd_tag`

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

`audit_crontab_cmd`

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

`audit_crontab_cmd_tag`

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

`audit_pam_timestamp_check_cmd`

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

`audit_pam_timestamp_check_cmd_tag`

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

`auditd::config::grub`

Enables/disables auditing at boot time.

Parameters

The following parameters are available in the auditd::config::grub class:

enable

`enable`

Data type: Boolean

Enable auditing in the kernel at boot time.

Default value: true

`auditd::config::logging`

NOTE: THIS IS A PRIVATE CLASS**

`auditd::install`

NOTE: THIS IS A PRIVATE CLASS**

`auditd::service`

NOTE: THIS IS A PRIVATE CLASS**

Parameters

The following parameters are available in the auditd::service class:

ensure
enable
bypass_kernel_check
warn_if_reboot_required

`ensure`

Data type: Variant[String[1],Boolean]

ensure state from the service resource

Default value: pick(getvar('auditd::enable'), 'running')

`enable`

Data type: Boolean

enable state from the service resource

Default value: pick(getvar('auditd::enable'), true)

`bypass_kernel_check`

Data type: Boolean

Do not check to see if the kernel is enforcing auditing before trying to manage the service.

This may be required if auditing is not being actively managed in the kernel and someone has stopped the auditd service by hand.

Default value: false

`warn_if_reboot_required`

Data type: Boolean

Add a reboot_notify warning if the system requires a reboot before the service can be managed.

Default value: true

Defined types

`auditd::rule`

All rules must be uniquely named. See auditctl(8) for more information on how to write the content for these rules.

Overrides all other ordering parameters

Parameters

The following parameters are available in the auditd::rule defined type:

name
content
order
first
absolute
prepend

`name`

A unique identifier for the audit rules.

`content`

Data type: Variant[Array[String[1]],String[1]]

The content of the rules that should be added.

Arrays will be joined with a newline

`order`

Data type: Optional[String[1]]

An alphanumeric (file system ordering) order string

Default value: undef

`first`

Data type: Boolean

Set this to 'true' if you want to prepend your custom rules (numeric 10)

Default value: false

`absolute`

Data type: Boolean

Set this to true if you want the added rules to be absolutely first or last depending on the setting of $first.

Default value: false

`prepend`

Data type: Boolean

Prepend this rule to all other rules (numeric 00).

Default value: false

Functions

`auditd::calculate_space_left`

Type: Puppet Language

Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.

`auditd::calculate_space_left(Variant[Integer[0],Pattern['^\d+%$']] $admin_space_left)`

The auditd::calculate_space_left function.

Returns: Variant[Integer[0],Pattern['^\d+%$']]

`admin_space_left`

Data type: Variant[Integer[0],Pattern['^\d+%$']]

`auditd::get_array_index`

Type: Ruby 4.x API

Terminates catalog compilation if the element is not found within the array.

`auditd::get_array_index(String $element, Array $array, Optional[Integer] $min_digits)`

Terminates catalog compilation if the element is not found within the array.

Returns: String Index of element in array represented as a string

Raises:

RuntimeError if element is not found within array

`element`

Data type: String

The element

`array`

Data type: Array

The array

`min_digits`

Data type: Optional[Integer]

The minimum number of digits the index should be. It will be '0'-padded to meet this number.

`auditd::validate_init_params`

Type: Puppet Language

Moved into a function to reduce class clutter.

Fails on discovered errors.

`auditd::validate_init_params()`

Moved into a function to reduce class clutter.

Fails on discovered errors.

Returns: None

Data types

`Auditd::AuditProfile`

Matches the types of auditd profiles allowed

Alias of Enum['built_in', 'simp', 'stig', 'custom']

`Auditd::DiskErrorAction`

Matches disk error actions in auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'exec', 'suspend', 'single', 'halt']

`Auditd::DiskFullAction`

Matches actions to take when disk is full (see auditd.conf)

Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'exec', 'suspend', 'single', 'halt']

`Auditd::Flush`

Matches actions flush in auditd.conf

Alias of Enum['NONE', 'INCREMENTAL', 'DATA', 'SYNC', 'INCREMENTAL_ASYNC', 'none', 'incremental', 'data', 'sync', 'incremental_async']

`Auditd::LogFacility`

Matches log facility that can be used in syslog.conf plugin

Alias of Enum['', 'LOG_LOCAL0', 'LOG_LOCAL1', 'LOG_LOCAL2', 'LOG_LOCAL3', 'LOG_LOCAL4', 'LOG_LOCAL5', 'LOG_LOCAL6', 'LOG_LOCAL7']

`Auditd::LogFormat`

Matches log formats that can be used in auditd.conf

Alias of Enum['RAW', 'ENRICHED', 'NOLOG', 'raw', 'enriched', 'nolog']

`Auditd::LogPriority`

Matches log priorities that can be used in syslog.conf plugin

Alias of Enum['LOG_DEBUG', 'LOG_INFO', 'LOG_NOTICE', 'LOG_WARNING', 'LOG_ERR', 'LOG_CRIT', 'LOG_ALERT', 'LOG_EMERG', 'LOG_AUTHPRIV']

`Auditd::MaxLogFileAction`

Matches available matches for maxlogfileaction in auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'ROTATE', 'KEEP_LOGS', 'ignore', 'syslog', 'suspend', 'rotate', 'keep_logs']

`Auditd::NameFormat`

Matche s available name formats in audotd.conf

Alias of Enum['NONE', 'HOSTNAME', 'FQD', 'NUMERIC', 'USER', 'none', 'hostname', 'fqd', 'numeric', 'user']

`Auditd::OverflowAction`

Matches overflow_action settings in auditd.conf or audisp.conf

Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'suspend', 'single', 'halt']

`Auditd::RootAuditLevel`

Matches root audit level settings in auditd.conf

Alias of Enum['basic', 'aggressive', 'insane']

`Auditd::SpaceLeftAction`

Matches spaceleftaction for auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EMAIL', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'email', 'exec', 'suspend', 'single', 'halt']

Tue Jul 16 2024 Steven Pritchard steve@sicura.us - 8.14.3

Fix comparison of space_left and admin_space_left as percentages

Mon Jul 08 2024 Steven Pritchard steve@sicura.us - 8.14.2

Remove calls to deprecated parameters (for Puppet 8 compatibility)

Wed Jul 03 2024 Steven Pritchard steve@sicura.us - 8.14.1

Clean up legacy fact usage for Puppet 8 compatibility

Wed Nov 22 2023 ben benrobertson9876@gmail.com - 8.14.0

(SIMP-10744) Add purge behaviour for auditd rules

Tue Oct 24 2023 Joshua Hoblitt josh@hoblitt.com - 8.13.0

Add EL9 support

Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 8.12.0

[puppetsync] Updates for Puppet 8
- These updates may include the following:
  - Update Gemfile
  - Add support for Puppet 8
  - Drop support for Puppet 6
  - Update module dependencies

Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 8.11.0

Add AlmaLinux 8 support

Thu Aug 17 2023 Mike Riddle mike@sicura.us - 8.10.1

Add RHEL 9 hieradata

Wed Jul 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 8.10.0

Add RockyLinux 8 support

Tue Jun 13 2023 Mike Riddle mike@sicura.us - 8.9.1

All of the rule files will now have the same mode defined for /etc/audit/rules.d

Tue Nov 15 2022 Joshua Hoblitt josh@hoblitt.com - 8.9.0

do not include auditd::config::grub on hosts without grub
fix simp base profile to work when grub_version fact is not set

Fri Jul 29 2022 Benedikt Fischer benedikt.fischer@noris.de - 8.8.0

Make parameter backlog_wait_time optional because there are auditd versions not supporting it

Fri Jun 24 2022 Trevor Vaughan trevor@sicura.us - 8.8.0

Add support for Amazon Linux 2

Sat Jun 11 2022 Trevor Vaughan trevor@sicura.us - 8.7.5

Actually fix flapping on rotated audit log files

Fri Jun 03 2022 Trevor Vaughan trevor@sicura.us - 8.7.4

Ensure that permissions do not flap on rotated audit log files

Fri May 27 2022 Zach Schulte zschulte@broadinstitute.org - 8.7.3

Fix the permissions on /var/log/audit

Fri May 13 2022 Mike Riddle mike@sicura.us - 8.7.2

Changed the auditd_sample_rulesets fact to look in both /usr/share/audit/sample-rules and /usr/share/doc/audit*/rules for sample rulesets.

Thu Mar 24 2022 Mike Riddle mike@sicura.us - 8.7.1

Fixed a bug preventing overflow_action from being set properly

Mon Jun 14 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.7.0

Removed support for Puppet 5
Ensured support for Puppet 7 in requirements and stdlib

Wed May 19 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.5

Fixed
- Align EL8 STIG settings
Changed
- Bump supported puppet version to include 7
- Always add the 'head' rules (global auditd config) settings when applying rule sets. These do not interfere with user-defined rules and are required for proper functionality of the system.

Thu Apr 08 2021 Liz Nemsick lnemsick.simp@gmail.com - 8.6.4

Use -F key= in lieu of -k in the STIG profile, to match scanner updates.

Sun Mar 07 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.3

Switch auditd rules to be 'always,exit' instead of 'exit,always' to match the man pages and general scanner updates.

Tue Feb 02 2021 Liz Nemsick lnemsick.simp@gmail.com - 8.6.3

Expanded simp/rsyslog dependendency range to < 9.0.0.

Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.6.3

Removed EL6 support

Mon Nov 23 2020 Liz Nemsick lnemsick.simp@gmail.com - 8.6.2-0

Fixed a bug in which the module could not enable auditing in a system with auditing already disabled in the kernel, when replication of the audit logs to syslog was required.
- Manifest would fail to compile because of a nil auditd_version fact.

Wed Sep 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.1-0

Allow auditd space_left and admin_space_left to accept percentages on supported versions

Wed Aug 12 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.0-0

Ensure that the auditd service is not managed if the kernel is not enforcing auditing
Add an acceptance test for toggling disabling auditing without modifying the kernel parameter

Fri Aug 07 2020 Marcel Fischer marcel@fury.home.loc - 8.5.3-0

Add INCREMENTAL_ASYNC to possible values for $::auditd::flush

Tue Aug 04 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.2-0

Ensure that facts are properly confined
Utilize the new simplib__auditd fact

Mon Jul 13 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 8.5.1-0

Add built_in audit profile to the subsystem that provides ability to include and manage sample rulesets to be compiled into active rules

Wed Jun 24 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.1-0

Added a File statement for /etc/audit/audit.rules.prev to prevent unnecessary flapping
Ensure that the inspec tests don't run if there isn't a profile available
Ensure that kmod is audited in all STIG modes on EL7+

Mon Jun 15 2020 Jan Fickler jan.fickler@webfleet.com - 8.5.1-0

Fix regex substitution for bad path characters

Thu Oct 31 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.0-0

Allow users to knockout entries from arrays specified in Hiera
Multiple rules added based on best practices mostly pulled from /usr/share/doc/auditd:
- Audit 32 bit operations on 64 bit systems
- Audit calls to the auditd CLI commands
- Audit IPv4 and IPv6 inbound connections
- Optionally audit IPv4 and IPv6 outbound connections
- Audit suspicious applications
- Audit systemd
- Audit the auditd configuration space
- Ignore time daemon logs (clutter)
- Ignore CRYPTO_KEY_USER logs (clutter)
- Add ability to set the backlog_wait_time
- Set loginuid_immutable

Thu Oct 24 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 8.5.0-0

Set defaults for syslog parameters if auditd version is unknown.
Added support for auditd v3.0 which is used by RedHat 8.
A fact that determines the major version of auditd that is running on the system was added, auditd_major_version. This is used in hiera.yaml hierarchy to add module data specific to the versions.
Most of the changes in auditd v3.0 were related to how the plugins are handled but there are a few new parameters added to auditd.conf. They were set to their defaults according to man of auditd.conf.
Auditd V3.0 moved the handling of plugins into auditd from audispd. The following changes were made to accommodate that:
- To make sure the parameters used to handle plugins where defined in one place no matter what version of auditd was used, they were moved to init.pp and referenced from there by the audisp manifest. For backwards compatibility, they remain in audisp.conf and are aliased in the hiera module data.
- For backwards compatibility auditd::syslog remains defaulting to the value of simp_options::syslog although the two are not really the same thing. You might want to review this setting and set auditd::syslog to a setting that is appropriate for your system.
  - To enable auditd logging to syslog set the following in hiera: auditd::syslog: true auditd::config::audisp::syslog::enable: true.
    The drop_audit_logs is still there for backwards compatibility and
    needs to be disabled.
    auditd::config::audisp::syslog::drop_audit_logs: false
  - To stop auditd logging to syslog set the following in hiera: auditd::syslog: true auditd::config::plugins::syslog::enable: false. Setting auditd::syslog to false will stop Puppet from managing the syslog.conf, it will not disable auditd logging to syslog. been removed. Disable the syslog plugin as described above.
- The settings for syslog.conf were updated and to work for new and old versions of auditd.
- Added installation of audisp-syslog package when using auditd v3.
Mon Aug 19 2019 Robert Vincent pillarsdotnet@gmail.com - 8.4.1-0
Add rules to monitor /usr/share/selinux

Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 8.4.0-0

Add v2 compliance_markup data

Tue Jun 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.3.2-0

Fix an issue where trailing newlines may not be present on custom rule profiles, particularly with rules defined in an Array.

Thu May 02 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.3.1-0

Fix a breaking change inadvertantly introduced into auditd::rule in which the auditd class was no longer included when an auditd::rule was defined in a manifest.

Thu Apr 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.3.0-0

Added a custom audit profile that accepts either an Array of rules or a template path for ease of setting full rulesets via Hiera.
Updated all module components for puppet strings
Fixed the README
Added a REFERENCE.md
Refactored the filename logic in the base profiles to be simpler
Converted the rule template to EPP
Converted the rotated_audit_logs template to EPP
Converted STIG audit profile template to EPP
Converted SIMP audit profile template to EPP

Wed Apr 10 2019 Joseph Sharkey shark.bruhaha@gmail.com - 8.2.1-0

Ensure that space_left is always larger than admin_space_left
Updated tests in support of puppet6, and removed puppet4 support
Updated puppet template scope API from 3 to newer

Sat Apr 06 2019 Jim Anderson thesemicolons@protonmail.com - 8.2.1-0

config.pp now managed /etc/audit in addition to /etc/audit/rules.d. The permissions and ownership of the two directories should be the same. Both directories use purge and recurse.

Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.2.1-0

Use Puppet Integer in lieu of simplib's deprecated Puppet 3 to_integer
Expanded the upper limit of the stdlib Puppet module version
Updated a URL in the README.md

Tue Jan 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0

Allow users to optimize their audit processing by only collecting on specific SELinux types

Fri Jan 11 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 8.2.0-0

Add restorecon audit for STIG profile

Fri Nov 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0

Update to remove potentially redundant test code and use the updated simp-beaker-helpers

Thu Nov 15 2018 Mark Leary leary.mark@gmail.com - 8.1.1-0

Revert back to using the native service provider for the auditd service since puppet fixed the service handling.

Wed Oct 31 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
Add a write_logs opttion to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
Add support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.

Tue Oct 16 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 8.1.0-0

Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.
- herculesteam/augeasproviders_grub
- simp/rsyslog

Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 8.1.0-0

Changed the $package_ensure parameter from 'latest' to 'installed'
It will also respect simp_options::package_ensure

Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0

Update Hiera 4 to Hiera 5

Fri Jul 27 2018 Brandon Ess brandon.ess@gmail.com - 8.1.0-0

Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.

Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

Updated to work with Puppet 5 and OEL

Fri Jul 06 2018 Trey Dockendorf tdockendorf@osc.edu - 8.0.1-0

Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.

Thu Jun 21 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0

Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
The following API Changes were made in support of multiple audit profiles:
- $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
- auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
- The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
- The following auditd::config::audit_profiles::simp class parameters have been deprecated for clarity:
  - $audit_sudoers has been deprecated by $audit_cfg_sudoers
  - $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
  - $audit_grub has been deprecated by $audit_cfg_grub
  - $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
  - $audit_yum has been deprecated by $audit_cfg_yum
  - $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
- Some previously hard-coded, internal configuration is now exposed as data-in-modules.
Added 'stig' audit profile which manages rules that match DISA STIG checks, exactly.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
Fixed bugs in 'simp' audit profile
- Fixed umask syscall rules. These rules require arch filters.
- Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
- Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
- Fixed bug in which the /etc/pam.d watch rule had the wrong tag
Updated 'simp' audit profile settings for DISA STIG.
- Expanded the list of successful syscall operations audited.
- Expanded the list of module syscall operations audited
- Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
- Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
- Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
- Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
- Added an option to audit the execution of the 'ssh-keysign' command
- Added an option to audit the execution of the 'crontab' command
- Added an option to audit the execution of the 'pam_timestamp_check' command
- Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
- Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)

Mon Mar 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.3-0

Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.

Tue Jan 09 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 7.1.3-0

Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
Ensured git installed as it's a dependency of our inspec profiles

Mon Nov 13 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.2-0

/var/run/faillock should be tagged under 'login'

Thu Aug 31 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1-0

Adjust audit.rules mode per inspec testing

Mon Aug 21 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0

Updated to use augeasproviders_grub 3
Added the ability to log calls to the 'rpm' and 'yum' commands

Mon May 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0

Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
Update puppet version in metadata.json

Mon Mar 27 2017 Nicholas Hughes nicholasmhughes@github.com - 7.0.1-0

Audit kernel module tools from /usr/bin as well as /bin and /sbin
Correct auditing /var/log/tallylock, it should have been /var/log/tallylog

Thu Feb 22 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0

Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
Changed all rules that were exit,always to be always,exit

Tue Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

In response to the DISA STIG Requirements
- Added 'open_by_handle_at' to the 'access' key
- Added watches on /varlog/faillock and /var/log/tallylock
- Added watches on /usr/sbin/insmod and /bin/kmod
- Added permissions modification notification for 'chmod'
Renamed auditd::add_rules to auditd::rule
Split the audit permissions rules into separate lines
Disabled chmod auditing by default

Mon Dec 26 2016 Ralph Wright rwright@onyxpoint.com - 7.0.0-0
Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

Refactor to work in Puppet 4 Changes
Updated acceptance tests

Mon Dec 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0

Update version to reflect SIMP6 dependencies

Fri Dec 09 2016 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0

Updated global catalysts
Changed default log facility to local5.
Added a drop rule for crond events

Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.1.2-0

Minor cleanup

Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0

Allow user to specify syslog facility and priority for audit record messages.
Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.

Mon Aug 29 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.4-0

Added booleans to toggle sections of audit rules.

Tue Jul 26 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 5.0.3-0

Fix for strict_variables failure

Wed Jul 06 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.2-0

Added a default audit rule for 'renameat', per CCE-26651-0.
Added an auditd_version fact.
Updated validation for *_action lists to differentiate between auditd versions.
Updated module to use new rake helper to auto-gen .spec file.

Thu May 19 2016 nicholasmhughes nicholasmhughes@gmail.com - 5.0.1-0

Change btmp and wtmp locations to /var/log
Support dynamic audit log locations

Thu Feb 18 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-4

Added compliance function support

Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-3

Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.

Thu Nov 19 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-2

Full migration to simplib, removed common and functions.

Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1

migration to simplib and simpcat (lib/ only)

Tue Oct 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

Module refactor to the new SIMP standard
Fixes for the audit dispatcher and syslog connections

Mon Sep 07 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-13

Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.

Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-12

Updated to use the new rsyslog module.

Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

Migrated to the new 'simp' environment.

Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

Changed puppet-server requirement to puppet

Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

Updated auditd::to_syslog to support multiple log servers and support for native TLS.

Sat Sep 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.

Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

Updated to use the new reboot_notify native type.

Sun Jul 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

Updated to support both grub and grub2
Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
Added support for /etc/audit/rules.d for RHEL7 systems.

Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

Removed MD5 file checksums for FIPS compliance.

Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

Pointed concat fragment auditd+head at the correct template!
Updated to support RHEL7

Wed May 21 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

Added the ability to put rules before the default rule body in audit.rules.
Added validation to add_rules.pp.

Fri Mar 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
Spec tests were added.

Fri Mar 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

Added class for auditing grub.

Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

Converted all string booleans to native booleans.

Mon Nov 04 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
Removed the old rsyslog file tap on audit.log.
Folded the auditd::conf define into the auditd main class since parameterized classes eliminate the need for the define.
- Breaking Change

Mon Oct 28 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-11

Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
Added checks for kernel module manipulation in accordance with CCE-26610-6.
Mapped all audit rules to their associated SSG rules in the file template.

Thu Oct 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-11

Updated templates to reference instance variables with @

Wed Jul 17 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-10

Removed the sgid binary check in the audit rules because it doesn't actually make any sense.

Thu Jun 27 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-9

Added audit rules to catch the execution of sgid and suid binaries.
Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
Added default auditing to /etc/yum.conf and /etc/yum.repos.d

Tue Apr 09 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-8

Skip any rule that does not load properly so that we have as much of the configuration active as possible.

Thu Dec 13 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7

Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

Fri Nov 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6

Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.

Tue Sep 18 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5

Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.

Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4

Ensure that Arrays in templates are flattened.
Call facts as instance variables.
Moved mit-tests to /usr/share/simp...
Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
Updated pp files to better meet Puppet's recommended style guide.

Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3

Improved test stubs.

Mon Jan 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2

Removed all references to 'entry' rules since they are deprecated.
Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
Added test stubs

Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

Scoped all of the top level variables.

Fri Oct 28 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

Removed the base audit of /etc/ldap.conf since it was redundant.

Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3

Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

Thu Mar 17 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2

Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.

Fri Feb 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1

Updated to use concat_build and concat_fragment types.

Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0

Refactored for SIMP-2.0.0-alpha release

Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2

Converting all spec files to check for directories prior to copy.

Wed Jul 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1

More code refactoring
Made log_file configurable in to_syslog define.

Wed May 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0

Code + doc refactor

Wed May 12 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-12

Added the option $root_audit_level to auditd::conf
- The allowed strings are basic(default), aggressive, insane
  - Basic(default): Safe, should not follow program execution outside of the base app
  - Aggressive: Adds execve
  - Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir

Fri Feb 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-11

Removed watch on /etc. That was a very bad rule.

Tue Dec 15 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-10

Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.

auditd - A module to manage the Audit Daemon, Kernel Parameters, and related
subsystems.

Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.

The US Government retains the right to pursue copyright protections outside of
the United States.

The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.

---

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

auditd

Version information

This version is compatible with:

Start using this module

Documentation

Table of Contents

Overview

This is a SIMP module

Module Description

Setup

Setup Requirements

What Auditd Affects

Usage

Basic Usage

Disabling Auditd

Enable/Disable sending audit event to syslog:

Changing Key Values

Understanding Auditd Profiles

Stacking Profiles

The Custom Profile

Override All Other Profiles

Prepend Before the SIMP Profile

Append After the SIMP and STIG Profiles

The Built-in Profile

Disabling All SIMP-provided Profiles

Enabling Sample Rulesets with Built-in Profile

Configuring Complete Rulesets with Built-in Profile

Adding One-Off Rules

Adding Regular Filter Rules

Prepend and Drop Everything From a User

Development

Acceptance tests

Reference

Table of Contents

Classes

Defined types

Functions

Data types

Classes

auditd

Parameters

enable

default_audit_profile

default_audit_profiles

audit_auditd_config

lname

ignore_anonymous

ignore_crond

ignore_time_daemons

ignore_crypto_key_user

ignore_errors

ignore_failures

ignore_system_services

action_mail_acct

admin_space_left

admin_space_left_action

at_boot

buffer_size

backlog_wait_time

disk_error_action

disk_full_action

disp_qos

dispatcher

failure_mode

flush

freq

immutable

log_file

local_events

log_format

log_group

`auditd`

`enable`

`default_audit_profile`

`default_audit_profiles`

`audit_auditd_config`

`lname`

`ignore_anonymous`

`ignore_crond`

`ignore_time_daemons`

`ignore_crypto_key_user`

`ignore_errors`

`ignore_failures`

`ignore_system_services`

`action_mail_acct`

`admin_space_left`

`admin_space_left_action`

`at_boot`

`buffer_size`

`backlog_wait_time`

`disk_error_action`

`disk_full_action`

`disp_qos`

`dispatcher`

`failure_mode`

`flush`

`freq`

`immutable`

`log_file`

`local_events`

`log_format`

`log_group`

`loginuid_immutable`

`max_log_file`

`max_log_file_action`

`max_restarts`

`name_format`

`num_logs`

`overflow_action`

`package_name`

`package_ensure`

`plugin_dir`

`priority_boost`

`q_depth`

`rate`

`root_audit_level`

`service_name`

`space_left`

`space_left_action`

`syslog`

`target_selinux_types`

`uid_min`

`verify_email`

`write_logs`

`purge_auditd_rules`

`auditd::config`

`auditd::config::audisp`

`q_depth`

`overflow_action`

`priority_boost`

`max_restarts`

`name_format`

`specific_name`

`auditd::config::audisp::syslog`

`rsyslog`

`drop_audit_logs`

`enable`

`priority`

`facility`

`syslog_path`

`type`

`pkg_name`

`package_ensure`

`auditd::config::audisp_service`

`auditd::config::audit_profiles`

`auditd::config::audit_profiles::built_in`

`rulesets`

`auditd::config::audit_profiles::custom`

`rules`

`template`

`auditd::config::audit_profiles::simp`