Initial (sans Arch) auditd management support. (#260)

* Initial (sans Arch) auditd management support. Signed-off-by: Ben Dean <[email protected]> * fix rubycop warnings Signed-off-by: Ben Dean <[email protected]> Co-authored-by: Benjamin Blakely <[email protected]>
dev-sec · Mar 26, 2020 · 2872e6d · 2872e6d
1 parent e81b389
commit 2872e6d
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 2 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -250,3 +250,19 @@
   end
 end
 # rubocop:enable Metrics/BlockLength
+
+# auditd config
+default['os-hardening']['auditd']['flush'] = 'INCREMENTAL'
+default['os-hardening']['auditd']['log_group'] = 'root'
+default['os-hardening']['auditd']['priority_boost'] = '4'
+default['os-hardening']['auditd']['freq'] = '20'
+default['os-hardening']['auditd']['num_logs'] = '5'
+default['os-hardening']['auditd']['disp_qos'] = 'lossy'
+default['os-hardening']['auditd']['dispatcher'] = '/sbin/audispd'
+default['os-hardening']['auditd']['name_format'] = 'NONE'
+default['os-hardening']['auditd']['max_log_file'] = '6'
+default['os-hardening']['auditd']['tcp_listen_queue'] = '5'
+default['os-hardening']['auditd']['tcp_max_per_addr'] = '1'
+default['os-hardening']['auditd']['tcp_client_max_idle'] = '0'
+default['os-hardening']['auditd']['enable_krb5'] = 'no'
+default['os-hardening']['auditd']['krb5_principal'] = 'auditd'
diff --git a/recipes/auditd.rb b/recipes/auditd.rb
@@ -20,3 +20,43 @@
 #
 
 package node['os-hardening']['packages']['auditd']
+
+service 'auditd' do
+  supports %i[start stop restart reload status]
+  if (node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7) ||
+     (node['platform_family'] == 'fedora' && node['platform_version'].to_f >= 27)
+    restart_command 'service auditd restart'
+  end
+  action [:enable]
+end
+
+unless node['os-hardening']['auditd']['flush'].match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) ||
+       node['os-hardening']['auditd']['flush'].empty?
+  Chef::Log.fatal('If specifying a value for auditd flush parameter, must be one of INCREMENTAL or INCREMENTAL_ASYNC')
+  raise
+end
+
+template '/etc/audit/auditd.conf' do
+  source 'auditd.conf.erb'
+  mode '0400'
+  owner 'root'
+  group 'root'
+  variables(
+    flush:               node['os-hardening']['auditd']['flush'],
+    log_group:           node['os-hardening']['auditd']['log_group'],
+    priority_boost:      node['os-hardening']['auditd']['priority_boost'],
+    freq:                node['os-hardening']['auditd']['freq'],
+    num_logs:            node['os-hardening']['auditd']['num_logs'],
+    disp_qos:            node['os-hardening']['auditd']['disp_qos'],
+    dispatcher:          node['os-hardening']['auditd']['dispatcher'],
+    name_format:         node['os-hardening']['auditd']['name_format'],
+    max_log_file:        node['os-hardening']['auditd']['max_log_file'],
+    tcp_listen_queue:    node['os-hardening']['auditd']['tcp_listen_queue'],
+    tcp_max_per_addr:    node['os-hardening']['auditd']['tcp_max_per_addr'],
+    tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'],
+    enable_krb5:         node['os-hardening']['auditd']['enable_krb5'],
+    krb5_principal:      node['os-hardening']['auditd']['krb5_principal']
+  )
+  notifies :restart, 'service[auditd]'
+  action :create
+end
diff --git a/templates/default/auditd.conf.erb b/templates/default/auditd.conf.erb
@@ -0,0 +1,33 @@
+<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
+# <%= l %>
+<% end %>
+#
+#--
+
+# Specified by linux-baseline
+log_file = /var/log/audit/audit.log
+log_format = RAW
+flush = <%= @flush %>
+max_log_file_action = keep_logs
+space_left = 75
+action_mail_acct = root
+space_left_action = SYSLOG
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+
+# Unspecified, auditd defaults unless overwritten
+log_group = <%= @log_group %>
+priority_boost = <%= @priority_boost %>
+freq = <%= @freq %>
+num_logs = <%= @num_logs %>
+disp_qos = <%= @disp_qos %>
+dispatcher = <%= @dispatcher %>
+name_format = <%= @name_format %>
+max_log_file = <%= @max_log_file %>
+tcp_listen_queue = <%= @tcp_listen_queue %>
+tcp_max_per_addr = <%= @tcp_max_per_addr %>
+tcp_client_max_idle = <%= @tcp_client_max_idle %>
+enable_krb5 = <%= @enable_krb5 %>
+krb5_principal = <%= @krb5_principal %>
diff --git a/test/integration/default/controls/tests.rb b/test/integration/default/controls/tests.rb
@@ -2,6 +2,4 @@
   # skip entropy test, as our short living test VMs usually do not
   # have enough
   skip_control 'os-08'
-  # skip auditd tests, we do not have any implementation for audit management yet
-  skip_control 'package-08'
 end