From 2872e6d5b98bcfd116b115c19a8c2f7f77ecbc41 Mon Sep 17 00:00:00 2001 From: Ben Dean Date: Thu, 26 Mar 2020 09:41:55 -0400 Subject: [PATCH] Initial (sans Arch) auditd management support. (#260) * Initial (sans Arch) auditd management support. Signed-off-by: Ben Dean * fix rubycop warnings Signed-off-by: Ben Dean Co-authored-by: Benjamin Blakely --- attributes/default.rb | 16 +++++++++ recipes/auditd.rb | 40 ++++++++++++++++++++++ templates/default/auditd.conf.erb | 33 ++++++++++++++++++ test/integration/default/controls/tests.rb | 2 -- 4 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 templates/default/auditd.conf.erb diff --git a/attributes/default.rb b/attributes/default.rb index 1de49d6a..40c319c7 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -250,3 +250,19 @@ end end # rubocop:enable Metrics/BlockLength + +# auditd config +default['os-hardening']['auditd']['flush'] = 'INCREMENTAL' +default['os-hardening']['auditd']['log_group'] = 'root' +default['os-hardening']['auditd']['priority_boost'] = '4' +default['os-hardening']['auditd']['freq'] = '20' +default['os-hardening']['auditd']['num_logs'] = '5' +default['os-hardening']['auditd']['disp_qos'] = 'lossy' +default['os-hardening']['auditd']['dispatcher'] = '/sbin/audispd' +default['os-hardening']['auditd']['name_format'] = 'NONE' +default['os-hardening']['auditd']['max_log_file'] = '6' +default['os-hardening']['auditd']['tcp_listen_queue'] = '5' +default['os-hardening']['auditd']['tcp_max_per_addr'] = '1' +default['os-hardening']['auditd']['tcp_client_max_idle'] = '0' +default['os-hardening']['auditd']['enable_krb5'] = 'no' +default['os-hardening']['auditd']['krb5_principal'] = 'auditd' diff --git a/recipes/auditd.rb b/recipes/auditd.rb index b81dff40..d1a5998b 100644 --- a/recipes/auditd.rb +++ b/recipes/auditd.rb @@ -20,3 +20,43 @@ # package node['os-hardening']['packages']['auditd'] + +service 'auditd' do + supports %i[start stop restart reload status] + if (node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7) || + (node['platform_family'] == 'fedora' && node['platform_version'].to_f >= 27) + restart_command 'service auditd restart' + end + action [:enable] +end + +unless node['os-hardening']['auditd']['flush'].match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) || + node['os-hardening']['auditd']['flush'].empty? + Chef::Log.fatal('If specifying a value for auditd flush parameter, must be one of INCREMENTAL or INCREMENTAL_ASYNC') + raise +end + +template '/etc/audit/auditd.conf' do + source 'auditd.conf.erb' + mode '0400' + owner 'root' + group 'root' + variables( + flush: node['os-hardening']['auditd']['flush'], + log_group: node['os-hardening']['auditd']['log_group'], + priority_boost: node['os-hardening']['auditd']['priority_boost'], + freq: node['os-hardening']['auditd']['freq'], + num_logs: node['os-hardening']['auditd']['num_logs'], + disp_qos: node['os-hardening']['auditd']['disp_qos'], + dispatcher: node['os-hardening']['auditd']['dispatcher'], + name_format: node['os-hardening']['auditd']['name_format'], + max_log_file: node['os-hardening']['auditd']['max_log_file'], + tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], + tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], + tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'], + enable_krb5: node['os-hardening']['auditd']['enable_krb5'], + krb5_principal: node['os-hardening']['auditd']['krb5_principal'] + ) + notifies :restart, 'service[auditd]' + action :create +end diff --git a/templates/default/auditd.conf.erb b/templates/default/auditd.conf.erb new file mode 100644 index 00000000..cbc0f16e --- /dev/null +++ b/templates/default/auditd.conf.erb @@ -0,0 +1,33 @@ +<% node['config_disclaimer'].to_s.split("\n").each do |l| %> +# <%= l %> +<% end %> +# +#-- + +# Specified by linux-baseline +log_file = /var/log/audit/audit.log +log_format = RAW +flush = <%= @flush %> +max_log_file_action = keep_logs +space_left = 75 +action_mail_acct = root +space_left_action = SYSLOG +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND + +# Unspecified, auditd defaults unless overwritten +log_group = <%= @log_group %> +priority_boost = <%= @priority_boost %> +freq = <%= @freq %> +num_logs = <%= @num_logs %> +disp_qos = <%= @disp_qos %> +dispatcher = <%= @dispatcher %> +name_format = <%= @name_format %> +max_log_file = <%= @max_log_file %> +tcp_listen_queue = <%= @tcp_listen_queue %> +tcp_max_per_addr = <%= @tcp_max_per_addr %> +tcp_client_max_idle = <%= @tcp_client_max_idle %> +enable_krb5 = <%= @enable_krb5 %> +krb5_principal = <%= @krb5_principal %> diff --git a/test/integration/default/controls/tests.rb b/test/integration/default/controls/tests.rb index c1913a29..7b58667d 100644 --- a/test/integration/default/controls/tests.rb +++ b/test/integration/default/controls/tests.rb @@ -2,6 +2,4 @@ # skip entropy test, as our short living test VMs usually do not # have enough skip_control 'os-08' - # skip auditd tests, we do not have any implementation for audit management yet - skip_control 'package-08' end