From f6976701d67ac8c65d86e9aa7951907b63791b87 Mon Sep 17 00:00:00 2001 From: Benjamin Blakely Date: Tue, 6 Feb 2018 16:39:59 -0600 Subject: [PATCH 1/2] Initial (sans Arch) auditd management support. Signed-off-by: Ben Dean --- attributes/default.rb | 16 +++++++++ recipes/auditd.rb | 40 ++++++++++++++++++++++ templates/default/auditd.conf.erb | 33 ++++++++++++++++++ test/integration/default/controls/tests.rb | 2 -- 4 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 templates/default/auditd.conf.erb diff --git a/attributes/default.rb b/attributes/default.rb index 1de49d6a..40c319c7 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -250,3 +250,19 @@ end end # rubocop:enable Metrics/BlockLength + +# auditd config +default['os-hardening']['auditd']['flush'] = 'INCREMENTAL' +default['os-hardening']['auditd']['log_group'] = 'root' +default['os-hardening']['auditd']['priority_boost'] = '4' +default['os-hardening']['auditd']['freq'] = '20' +default['os-hardening']['auditd']['num_logs'] = '5' +default['os-hardening']['auditd']['disp_qos'] = 'lossy' +default['os-hardening']['auditd']['dispatcher'] = '/sbin/audispd' +default['os-hardening']['auditd']['name_format'] = 'NONE' +default['os-hardening']['auditd']['max_log_file'] = '6' +default['os-hardening']['auditd']['tcp_listen_queue'] = '5' +default['os-hardening']['auditd']['tcp_max_per_addr'] = '1' +default['os-hardening']['auditd']['tcp_client_max_idle'] = '0' +default['os-hardening']['auditd']['enable_krb5'] = 'no' +default['os-hardening']['auditd']['krb5_principal'] = 'auditd' diff --git a/recipes/auditd.rb b/recipes/auditd.rb index b81dff40..a3571cdd 100644 --- a/recipes/auditd.rb +++ b/recipes/auditd.rb @@ -20,3 +20,43 @@ # package node['os-hardening']['packages']['auditd'] + +service "auditd" do + supports [:start, :stop, :restart, :reload, :status] + if (node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7) || + (node['platform_family'] == 'fedora' && node['platform_version'].to_f >= 27) + restart_command 'service auditd restart' + end + action [ :enable ] +end + +unless (node['os-hardening']['auditd']['flush'].match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) || + node['os-hardening']['auditd']['flush'].empty?) + Chef::Log.fatal('If specifying a value for auditd flush parameter, must be one of INCREMENTAL or INCREMENTAL_ASYNC') + raise +end + +template '/etc/audit/auditd.conf' do + source 'auditd.conf.erb' + mode '0400' + owner 'root' + group 'root' + variables( + flush: node['os-hardening']['auditd']['flush'], + log_group: node['os-hardening']['auditd']['log_group'], + priority_boost: node['os-hardening']['auditd']['priority_boost'], + freq: node['os-hardening']['auditd']['freq'], + num_logs: node['os-hardening']['auditd']['num_logs'], + disp_qos: node['os-hardening']['auditd']['disp_qos'], + dispatcher: node['os-hardening']['auditd']['dispatcher'], + name_format: node['os-hardening']['auditd']['name_format'], + max_log_file: node['os-hardening']['auditd']['max_log_file'], + tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], + tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], + tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'], + enable_krb5: node['os-hardening']['auditd']['enable_krb5'], + krb5_principal: node['os-hardening']['auditd']['krb5_principal'] + ) + notifies :restart, 'service[auditd]' + action :create +end diff --git a/templates/default/auditd.conf.erb b/templates/default/auditd.conf.erb new file mode 100644 index 00000000..cbc0f16e --- /dev/null +++ b/templates/default/auditd.conf.erb @@ -0,0 +1,33 @@ +<% node['config_disclaimer'].to_s.split("\n").each do |l| %> +# <%= l %> +<% end %> +# +#-- + +# Specified by linux-baseline +log_file = /var/log/audit/audit.log +log_format = RAW +flush = <%= @flush %> +max_log_file_action = keep_logs +space_left = 75 +action_mail_acct = root +space_left_action = SYSLOG +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND + +# Unspecified, auditd defaults unless overwritten +log_group = <%= @log_group %> +priority_boost = <%= @priority_boost %> +freq = <%= @freq %> +num_logs = <%= @num_logs %> +disp_qos = <%= @disp_qos %> +dispatcher = <%= @dispatcher %> +name_format = <%= @name_format %> +max_log_file = <%= @max_log_file %> +tcp_listen_queue = <%= @tcp_listen_queue %> +tcp_max_per_addr = <%= @tcp_max_per_addr %> +tcp_client_max_idle = <%= @tcp_client_max_idle %> +enable_krb5 = <%= @enable_krb5 %> +krb5_principal = <%= @krb5_principal %> diff --git a/test/integration/default/controls/tests.rb b/test/integration/default/controls/tests.rb index c1913a29..7b58667d 100644 --- a/test/integration/default/controls/tests.rb +++ b/test/integration/default/controls/tests.rb @@ -2,6 +2,4 @@ # skip entropy test, as our short living test VMs usually do not # have enough skip_control 'os-08' - # skip auditd tests, we do not have any implementation for audit management yet - skip_control 'package-08' end From bc5a5a4e1715bef38813b0a4acba4265ea1dfcca Mon Sep 17 00:00:00 2001 From: Ben Dean Date: Mon, 2 Mar 2020 16:04:44 -0500 Subject: [PATCH 2/2] fix rubycop warnings Signed-off-by: Ben Dean --- recipes/auditd.rb | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/recipes/auditd.rb b/recipes/auditd.rb index a3571cdd..d1a5998b 100644 --- a/recipes/auditd.rb +++ b/recipes/auditd.rb @@ -21,17 +21,17 @@ package node['os-hardening']['packages']['auditd'] -service "auditd" do - supports [:start, :stop, :restart, :reload, :status] +service 'auditd' do + supports %i[start stop restart reload status] if (node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7) || (node['platform_family'] == 'fedora' && node['platform_version'].to_f >= 27) restart_command 'service auditd restart' end - action [ :enable ] + action [:enable] end -unless (node['os-hardening']['auditd']['flush'].match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) || - node['os-hardening']['auditd']['flush'].empty?) +unless node['os-hardening']['auditd']['flush'].match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) || + node['os-hardening']['auditd']['flush'].empty? Chef::Log.fatal('If specifying a value for auditd flush parameter, must be one of INCREMENTAL or INCREMENTAL_ASYNC') raise end @@ -42,21 +42,21 @@ owner 'root' group 'root' variables( - flush: node['os-hardening']['auditd']['flush'], - log_group: node['os-hardening']['auditd']['log_group'], - priority_boost: node['os-hardening']['auditd']['priority_boost'], - freq: node['os-hardening']['auditd']['freq'], - num_logs: node['os-hardening']['auditd']['num_logs'], - disp_qos: node['os-hardening']['auditd']['disp_qos'], - dispatcher: node['os-hardening']['auditd']['dispatcher'], - name_format: node['os-hardening']['auditd']['name_format'], - max_log_file: node['os-hardening']['auditd']['max_log_file'], - tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], - tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], + flush: node['os-hardening']['auditd']['flush'], + log_group: node['os-hardening']['auditd']['log_group'], + priority_boost: node['os-hardening']['auditd']['priority_boost'], + freq: node['os-hardening']['auditd']['freq'], + num_logs: node['os-hardening']['auditd']['num_logs'], + disp_qos: node['os-hardening']['auditd']['disp_qos'], + dispatcher: node['os-hardening']['auditd']['dispatcher'], + name_format: node['os-hardening']['auditd']['name_format'], + max_log_file: node['os-hardening']['auditd']['max_log_file'], + tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], + tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'], - enable_krb5: node['os-hardening']['auditd']['enable_krb5'], - krb5_principal: node['os-hardening']['auditd']['krb5_principal'] - ) + enable_krb5: node['os-hardening']['auditd']['enable_krb5'], + krb5_principal: node['os-hardening']['auditd']['krb5_principal'] + ) notifies :restart, 'service[auditd]' action :create end