Skip to content

Latest commit

 

History

History
2600 lines (1521 loc) · 83.1 KB

REFERENCE.md

File metadata and controls

2600 lines (1521 loc) · 83.1 KB
Raw

Reference

Table of Contents

Classes

Defined types

Functions

Data types

Classes

auditd

Any variable that is not described here can be found in auditd.conf(5) and auditctl(8).

  • See also
    • auditd.conf(5)
    • auditctl(8)

Parameters

The following parameters are available in the auditd class:

enable

Data type: Boolean

If true, enable auditing.

Default value: true

default_audit_profile

Data type: Optional[Variant[Enum['simp'],Boolean]]

Deprecated by $default_audit_profiles

Default value: undef

default_audit_profiles

Data type: Array[Auditd::AuditProfile]

The built-in audit profile(s) to use to provide global audit rule configuration (error handling, buffer size, etc.) and a base set of audit rules.

  • When more than one profile is specified, the profile rules are effectively concatenated in the order the profiles are listed.
  • To add rules to the base set, use auditd::rule.
  • To manage the audit rules, yourself, set this parameter to [].
  • @see auditd::config::audit_profiles for more details about this configuration.

Default value: [ 'simp' ]

audit_auditd_config

Data type: Boolean

Set up an audit rule to audit the auditd configuration files.

Default value: true

lname

Data type: String

An alias for the name variable in the configuration file. This is used since $name is a reserved keyword in Puppet.

Default value: $facts['networking']['fqdn']

ignore_anonymous

Data type: Boolean

For built-in audit profiles, whether to drop anonymous and daemon events, i.e., events for which auid is '-1' (aka 'unset'). Audit records from these events are prolific but not useful.

Default value: true

ignore_crond

Data type: Boolean

For built-in audit profiles, whether to drop events related to cron jobs. cron creates a lot of audit events that are not usually useful.

Default value: true

ignore_time_daemons

Data type: Boolean

Ignore time modifications by time daemons that are running on the system since this is valid activity.

Default value: true

ignore_crypto_key_user

Data type: Boolean

Ignore CRYPTO_KEY_USER logs since these are generally noise.

Default value: true

ignore_errors

Data type: Boolean

Whether to set the auditctl '-i' option

Default value: true

ignore_failures

Data type: Boolean

Whether to set the auditctl '-c' option

Default value: true

ignore_system_services

Data type: Boolean

For built-in audit profiles, whether to ignore system service events, i.e., events for which the auid is set but is less than the minimum UID for human users on the system. In most security guides, this filter is attached to every system call rule. So, by implementing the filter in an upfront drop rule, this feature provides optimization of that filtering.

Default value: true

action_mail_acct

Data type: String[1]

Default value: 'root'

admin_space_left

Data type: Variant[Integer[0],Pattern['^\d+%$']]

Default value: 50

admin_space_left_action

Data type: Auditd::SpaceLeftAction

Default value: 'rotate'

at_boot

Data type: Boolean

If true, modify the Grub settings to enable auditing at boot time.

Default value: true

buffer_size

Data type: Integer[0]

Value of the auditctl '-b' option

Default value: 16384

backlog_wait_time

Data type: Optional[Integer[1,600000]]

Default value: undef

disk_error_action

Data type: Auditd::DiskErrorAction

Default value: 'syslog'

disk_full_action

Data type: Auditd::DiskFullAction

Default value: 'rotate'

disp_qos

Data type: Enum['lossy','lossless']

auditd version 2 only

Default value: 'lossy'

dispatcher

Data type: Stdlib::Absolutepath

auditd version 2 only

Default value: '/sbin/audispd'

failure_mode

Data type: Integer[0]

Value of the auditctl '-f' option

Default value: 1

flush

Data type: Auditd::Flush

Default value: 'incremental'

freq

Data type: Integer[0]

Default value: 20

immutable

Data type: Boolean

Whether or not to make the configuration immutable when using built-in audit profiles. Be aware that, should you choose to make the configuration immutable, you will not be able to change your audit rules without a reboot.

Default value: false

log_file

Data type: Stdlib::Absolutepath

Default value: '/var/log/audit/audit.log'

local_events

Data type: Optional[Boolean]

auditd version 3 only

Default value: undef

log_format

Data type: Auditd::LogFormat

The output log format

  • 'NOLOG' is deprecated as of auditd 2.5.2
  • 'ENRICHED' is only available in auditd >= 2.6.0

Default value: 'raw'

log_group

Data type: String

Default value: 'root'

loginuid_immutable

Data type: Boolean

Sets the --loginuid-immutable option

  • This has been noted to potentially cause issues with some types of containers but a concrete explanation of what types has not yet been found.

Default value: true

max_log_file

Data type: Integer[0]

Default value: 24

max_log_file_action

Data type: Auditd::MaxLogFileAction

Default value: 'rotate'

max_restarts

Data type: Optional[Integer[1]]

sets the number of times a plugin will be restart.

Default value: undef

name_format

Data type: Auditd::NameFormat

Default value: 'user'

num_logs

Data type: Integer[0]

Default value: 5

overflow_action

Data type: Optional[Auditd::Overflowaction]

sets the overflow action.

Default value: undef

package_name

Data type: String[1]

The name of the auditd package.

Default value: 'audit'

package_ensure

Data type: Simplib::PackageEnsure

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

plugin_dir

Data type: Stdlib::Absolutepath

sets the directory for the plugin configuration files.

priority_boost

Data type: Integer[0]

Default value: 3

q_depth

Data type: Integer[0]

how big to make the internal queue of the audit event dispatcher

Default value: 400

rate

Data type: Integer[0]

Value of the auditctl '-r' option

Default value: 0

root_audit_level

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity in built-in audit profiles that provide su-root rules. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'. For the 'simp' audit profile, these options are as follows:

  • Basic: Safe syscall rules, should not follow program execution outside of the base app
  • Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
  • Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: 'basic'

service_name

Data type: String[1]

The name of the auditd service.

Default value: 'auditd'

space_left

Data type: Variant[Integer[0],Pattern['^\d+%$']]

Must be larger than $admin_space_left.

  • If $admin_space_left is an Integer, will be set to 30 + $admin_space_left
  • If $admin_space_left is a percentage (auditd >= 2.8.5), will be set to 1% + $admin_space_left

Default value: auditd::calculate_space_left($admin_space_left)

space_left_action

Data type: Auditd::SpaceLeftAction

Default value: 'syslog'

syslog

Data type: Boolean

If true, manage the settings for the syslog plugin It was left defaulted to simp_options::syslog value for backwards compatability. This does not activate/deactivate the plugin. That setting is in the auditd::config::audisp::syslog::enable setting. If syslog is set to true, by default it will enable the syslog plugin in order to be backwards compatable. If you want to ensure the plugin is disabled, set auditd::config::audisp::syslog::enable to false. If this is set to false the plugin settings are not managed by puppet.

Default value: simplib::lookup('simp_options::syslog', {'default_value' => false })

target_selinux_types

Data type: Optional[Array[Pattern['^.*_t$']]]

A list of SELinux types to target, all others will be dropped

For systems that require all users and processes to be in a confined namespace, you may find that only auditing unconfined types will be sufficient since all other invalid system actions are already audited.

Default value: undef

uid_min

Data type: Integer[0]

The minimum UID for human users on the system. For built-in audit profiles when $ignore_system_services is true, any audit events generated by users below this number will be ignored, unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: Integer(pick(fact('uid_min'), 1000))

verify_email

Data type: Optional[Boolean]

auditd version 3 only

Default value: undef

write_logs

Data type: Boolean

Whether or not to write logs to disk.

  • The NOLOG option on log_format has been deprecated in newer versions of auditd so this attempts to do "the right thing" when log_format is set to NOLOG for legacy support.

Default value: $log_format ? { /^(?i:nolog)$/ => false, default => true

purge_auditd_rules

Data type: Boolean

Whether or not to purge existing auditd rules under /etc/audit/rules.d

Default value: true

auditd::config

NOTE: THIS IS A PRIVATE CLASS**

auditd::config::audisp

The following parameters are documented in audispd.conf(5).

These settings are deprecated and will be removed in the next major release of auditd and are here for backwards compatability.

In auditd version 3 these settings were moved to auditd.conf and audisp.conf was deprecated. For this reason they are set in the init.pp module with the other auditd.conf values also. If you are trying to set these values for auditd version 3 then you must set them there. These settings are aliased in hiera to auditd settings so you can move your settings for these parameters to auditd::* now to ensure compatability with future major releases but settings in hiera that are already exist will still work. The following setting maps to the name variable in audisp.conf.

Parameters

The following parameters are available in the auditd::config::audisp class:

q_depth

Data type: Integer

(deprecated)

overflow_action

Data type: Auditd::OverflowAction

(deprecated)

priority_boost

Data type: Integer

(deprecated)

max_restarts

Data type: Integer

(deprecated)

name_format

Data type: Auditd::NameFormat

(deprecated)

specific_name

Data type: String

Default value: $facts['networking']['fqdn']

auditd::config::audisp::syslog

This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or (inadvertently) persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.

If you are using simp_rsyslog, it, by default, sets up a rsyslog rule to drop the audispd messages from being written locally to prevent duplication of logging audit events on the local system. See simp_rsyslog::local for more information.

It is also recommend you ensure any forwarded, audit messages are encrypted using the stunnel module, due to the nature of the information carried by these messages.

Parameters

The following parameters are available in the auditd::config::audisp::syslog class:

rsyslog

Data type: Boolean

(deprecated) If set, enable the SIMP rsyslog module and set up the appropriate rules for the auditd services.

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

drop_audit_logs

Data type: Boolean

(deprecated) When set to false, auditd records will be forwarded to remote servers and/or written to local syslog files, as directed by the site rsyslog configuration. This setting is not needed any more. If you want to disable/enable sending audit records to syslog, set the 'enable' parameter in this module to false/true as appropriate. It is left here for backwards compatability but will not be in the next major release.

Default value: true

enable

Data type: Boolean

Enable or disable sending audit mesages to syslog.

Default value: true

priority

Data type: Auditd::LogPriority

The syslog priority for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file.

Default value: 'LOG_INFO'

facility

Data type: Auditd::LogFacility

The syslog facility for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file. For the older auditd versions used by CentOS6 and CentOS7, must be an empty string, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, or LOG_LOCAL7. An empty string results in LOG_USER and is the ONLY mechanism to specify that facility. No other facilities are allowed.

Default value: 'LOG_LOCAL5'

syslog_path

Data type: String

The path to the syslog plugin executable.

type

Data type: String

The type of auditd plugin.

pkg_name

Data type: Optional[String]

The name of the plugin package to install. Only needed for auditd version 3 and later.

Default value: undef

package_ensure

Data type: String

The default ensure parmeter for packages.

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

auditd::config::audisp_service

NOTE: THIS IS A PRIVATE CLASS**

Should only be called from audisp processing services.

auditd::config::audit_profiles

NOTE: THIS IS A PRIVATE CLASS**

The configuration generated is contained in a set of files in /etc/audit/rules.d, which augenrules parses for auditd in natural sort order, to create a single /etc/audit/auditd.rules file. The generated files are as follows:

  • 00_head.rules: Contains auditctl general configuration to remove existing rules when the rules are reloaded, ignore rule load errors/failures, and set the buffer size, failure mode, and rate limiting
  • 05_default_drop.rules: Contains filtering rules for efficiency
    • Rules to drop prolific events of low-utility
    • Rules to restrict events based on auid constraints that would normally be applied to all rules
  • 50_*base.rules:
    • Nominal base rules for one or more built-in profiles.
    • One file will exist for each desired, built-in profile
    • Files are named so that the ordering of profiles listed in $auditd::default_audit_profiles is preserved
    • The corresponding class for each profile is auditd::config::audit_profiles::<profile name>
  • 60_custom.rules: Custom rules as defined by the auditd::custom_rules parameter if appending
  • 75.init.d_auditd.rules:
    • A watch rule for /etc/rc.d/init.d/auditd permissions changes
    • A watch rule for permissions changes to the auditd log file
  • 75.rotated_audit_logs.rules
    • Watch rules for permissions changes to the rotated auditd log files
  • 99_tail.rules
    • auditctl immutable option, when $auditd::immutable is 'true'

auditd::config::audit_profiles::built_in

An audit profile that allows the use of sample rulesets included with the audit package to be used to configure a system.

Parameters

The following parameters are available in the auditd::config::audit_profiles::built_in class:

rulesets

Data type: Array[String[1]]

The list of system sample rulesets to be included on the system. This list can be found in the auditd_sample_rulesets fact.

Default value: []

auditd::config::audit_profiles::custom

NO SANITY CHECKING IS PERFORMED ON THE RESULTING RULES

Examples

Passing an Array of Rules
---
auditd::config::audit_profiles::custom::rules:
  - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k unsuccessful_file_operations"
  - "-w /etc/passwd -p wa -k passwd_changes"
Passing an EPP Template
---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.epp"
Passing an ERB Template
---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.erb"

Parameters

The following parameters are available in the auditd::config::audit_profiles::custom class:

rules

Data type: Optional[Array[String[1]]]

An Array of rules that will be joined with a \n and inserted as the complete audit rule set to be applied to the system.

Default value: undef

template

Data type: Optional[String[1]]

A template specification as you would pass to either the epp or erb function

  • Specifying both rules and template will result in an error

Default value: undef

auditd::config::audit_profiles::simp

The defaults for this profile generate a set of audit rules that are both usable on most systems and conformant with standard auditing requirements. A few key usage/implementation details about this profile should be noted:

  • This profile uses optimized audit rules. Specifically, it
    • Combines system call rules as much as possible
    • By default, uses initial drop rules for the auid filters that would be otherwise applied to all system call rules
    • By default, uses an initial drop rule for cron events that are prolific, but whose audit records are of very limited utility
  • Although all security requirements allow optimization of audit rules, most of the automated security scanners do not yet understand audit rule optimizations. So, use of this profile may require explanation of these simple, yet effective, optimizations.
  • You may overload your system and/or log server, if you enable the highly-prolific, but limited-utility audit capabilities that have been intentionally disabled, here, despite being required by specific security standards. 'chmod' auditing for all non-service users is an example of such a capability.
  • In some cases, the more targeted set of rules for non-service users that have su'd to root may provide a viable subset of required auditing. This targeting filtering is enabled by $audit_su_root_activity and customized by $root_audit_level, $basic_root_audit_syscalls, $aggressive_root_audit_syscalls, and $insane_root_audit_syscalls`.

Parameters

The following parameters are available in the auditd::config::audit_profiles::simp class:

root_audit_level

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'

  • Basic: Safe syscall rules, should not follow program execution outside of the base app
  • Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
  • Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: $::auditd::root_audit_level

audit_32bit_operations

Data type: Boolean

In general, any 32bit system calls on a 64bit systems should be seen as suspicious.

Default value: $facts['os']['hardware'] ? { 'x86_64' => true, default => false

audit_32bit_operations_tag

Data type: String[1]

Tag to be added to entries triggered by audit_32bit_operations

Default value: '32bit-api'

audit_auditd_cmds

Data type: Boolean

Audit calls to the auditd management CLI commands

Default value: true

audit_auditd_cmds_tag

Data type: String[1]

Tag to be added to entries triggered by audit_auditd_cmds

Default value: 'access-audit-trail'

audit_auditd_cmds_list

Data type: Array[String[1]]

Commands to be audited if enabled by audit_auditd_cmds

basic_root_audit_syscalls

Data type: Array[String[1]]

Basic syscalls to audit for su-root activity

aggressive_root_audit_syscalls

Data type: Array[String[1]]

Aggressive syscalls to audit for su-root activity

insane_root_audit_syscalls

Data type: Array[String[1]]

Insane syscalls to audit for su-root activity

audit_unsuccessful_file_operations

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

audit_unsuccessful_file_operations_tag

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

audit_chown

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

audit_chown_tag

Data type: String[1]

The tag to identify chown operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chown'

audit_chmod

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: false

audit_chmod_tag

Data type: String[1]

The tag to identify chmod operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chmod'

audit_attr

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

audit_attr_tag

Data type: String[1]

The tag to identify xattr operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'attr'

audit_rename_remove

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: false

audit_rename_remove_tag

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

audit_su_root_activity

Data type: Boolean

Whether to audit other useful actions someone does when su'ing to root. The list of system calls audited is controlled by $root_audit_level.

Default value: true

audit_su_root_activity_tag

Data type: String[1]

The tag to identify su operations in an audit record

Default value: 'su-root-activity'

audit_suid_sgid

Data type: Boolean

Whether to audit setuid/setgid commands. setuid/setgid command execution is audited by a single system call rule.

Default value: true

audit_suid_sgid_tag

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record. You should change this to 'setuid/setgid' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'suid-exec'

audit_kernel_modules

Data type: Boolean

Whether to audit kernel module operations

Default value: true

audit_kernel_modules_tag

Data type: String[1]

The tag to identify kernel module operations in an audit record. You should change this to 'module-change' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'modules'

audit_time

Data type: Boolean

Whether to audit operations that affect system time

Default value: true

audit_time_tag

Data type: String[1]

The tag to identify system time operations in an audit record

Default value: 'audit_time_rules'

audit_locale

Data type: Boolean

Whether to audit operations that affect system locale

Default value: true

audit_locale_tag

Data type: String[1]

The tag to identify system locale operations in an audit record

Default value: 'audit_network_modifications'

audit_network_ipv4_accept

Data type: Boolean

Audit incoming IPv4 connections

Default value: true

audit_network_ipv4_accept_tag

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv4_accept

Default value: 'ipv4_in'

audit_network_ipv6_accept

Data type: Boolean

Audit incoming IPv6 connections

Default value: true

audit_network_ipv6_accept_tag

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv6_accept

Default value: 'ipv6_in'

audit_network_ipv4_connect

Data type: Boolean

Audit outgoing IPv4 connections

Default value: false

audit_network_ipv4_connect_tag

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv4_connect

Default value: 'ipv4_in'

audit_network_ipv6_connect

Data type: Boolean

Audit outgoing IPv6 connections

Default value: false

audit_network_ipv6_connect_tag

Data type: String[1]

Tag to be added to entries triggered by audit_network_ipv6_connect

Default value: 'ipv6_in'

audit_mount

Data type: Boolean

Whether to audit mount operations

Default value: true

audit_mount_tag

Data type: String[1]

The tag to identify mount operations in an audit record. You should change this to 'privileged-mount' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'mount'

audit_umask

Data type: Boolean

Whether to audit umask changes

Default value: false

audit_umask_tag

Data type: String[1]

The tag to identify umask changes in an audit record

Default value: 'umask'

audit_local_account

Data type: Boolean

Whether to audit local account changes

Default value: true

audit_local_account_tag

Data type: String[1]

The tag to identify local account changes in an audit record. You should change this to 'identity' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'audit_account_changes'

audit_selinux_policy

Data type: Boolean

Whether to audit selinux policy changes

Default value: true

audit_selinux_policy_tag

Data type: String[1]

The tag to identify selinux policy changes in an audit record

Default value: 'MAC-policy'

audit_selinux_cmds

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: false

audit_selinux_cmds_tag

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

audit_login_files

Data type: Boolean

Whether to audit changes to login files

Default value: true

audit_login_files_tag

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

audit_session_files

Data type: Boolean

Whether to audit changes to session files

Default value: true

audit_session_files_tag

Data type: String[1]

The tag to identify session file changes in an audit record

Default value: 'session'

audit_sudoers

Data type: Optional[Boolean]

Deprecated by $audit_cfg_sudoers

Default value: undef

audit_sudoers_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_sudoers_tag

Default value: undef

audit_cfg_sudoers

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

audit_cfg_sudoers_tag

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record. You should change this to 'privileged-actions' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'CFG_sys'

audit_grub

Data type: Optional[Boolean]

Deprecated by $audit_cfg_grub

Default value: undef

audit_grub_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_grub_tag

Default value: undef

audit_cfg_grub

Data type: Boolean

Whether to audit changes to grub configuration files

Default value: true

audit_cfg_grub_tag

Data type: String[1]

The tag to identify grub configuration file changes in an audit record

Default value: 'CFG_grub'

audit_cfg_sys

Data type: Boolean

Whether to audit changes to key system configuration files not otherwise audited

Default value: true

audit_cfg_sys_tag

Data type: String[1]

The tag to identify changes to key system configuration files not otherwise audited

Default value: 'CFG_sys'

audit_cfg_cron

Data type: Boolean

Whether to audit changes to cron configuration files

Default value: true

audit_cfg_cron_tag

Data type: String[1]

The tag to identify cron configuration file changes in an audit record

Default value: 'CFG_cron'

audit_cfg_shell

Data type: Boolean

Whether to audit changes to global shell configuration files

Default value: true

audit_cfg_shell_tag

Data type: String[1]

The tag to identify global shell configuration file changes in an audit record

Default value: 'CFG_shell'

audit_cfg_pam

Data type: Boolean

Whether to audit changes to PAM configuration files

Default value: true

audit_cfg_pam_tag

Data type: String[1]

The tag to identify PAM configuration file changes in an audit record

Default value: 'CFG_pam'

audit_cfg_security

Data type: Boolean

Whether to audit changes to /etc/security

Default value: true

audit_cfg_security_tag

Data type: String[1]

The tag to identify /etc/security file changes in an audit record

Default value: 'CFG_security'

audit_cfg_services

Data type: Boolean

Whether to audit changes to /etc/services

Default value: true

audit_cfg_services_tag

Data type: String[1]

The tag to identify /etc/services file changes in an audit record

Default value: 'CFG_services'

audit_cfg_xinetd

Data type: Boolean

Whether to audit changes to xinetd configuration files

Default value: true

audit_cfg_xinetd_tag

Data type: String[1]

The tag to identify xinetd configuration file changes in an audit record

Default value: 'CFG_xinetd'

audit_yum

Data type: Optional[Boolean]

Deprecated by $audit_cfg_yum

Default value: undef

audit_yum_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_yum_tag

Default value: undef

audit_cfg_yum

Data type: Boolean

Whether to audit changes to yum configuration files

Default value: true

audit_cfg_yum_tag

Data type: String[1]

The tag to identify yum configuration file changes in an audit record

Default value: 'yum-config'

audit_yum_cmd

Data type: Boolean

Whether to audit yum command execution

Default value: false

audit_yum_cmd_tag

Data type: String[1]

The tag to identify yum command execution in an audit record

Default value: 'package_changes'

audit_rpm_cmd

Data type: Boolean

Whether to audit rpm command execution

Default value: false

audit_rpm_cmd_tag

Data type: String[1]

The tag to identify rpm command execution in an audit record

Default value: 'package_changes'

audit_ptrace

Data type: Boolean

Whether to audit ptrace system calls

Default value: true

audit_ptrace_tag

Data type: String[1]

The tag to identify ptrace system calls in an audit record

Default value: 'paranoid'

audit_personality

Data type: Boolean

Whether to audit personality system calls

Default value: true

audit_personality_tag

Data type: String[1]

The tag to identify personality system calls in an audit record

Default value: 'paranoid'

audit_passwd_cmds

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

audit_passwd_cmds_tag

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

audit_priv_cmds

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

audit_priv_cmds_tag

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

audit_postfix_cmds

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

audit_postfix_cmds_tag

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

audit_ssh_keysign_cmd

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

audit_ssh_keysign_cmd_tag

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

audit_suspicious_apps

Data type: Boolean

Audit various applications that generally represent suspicious host activity

Default value: true

audit_suspicious_apps_tag

Data type: String[1]

Tag to be added to entries triggered by audit_suspicious_apps

Default value: 'suspicious_apps'

audit_suspicious_apps_list

Data type: Array[Stdlib::Absolutepath]

List of applications to be audited when audit_suspicious_apps is enabled

audit_systemd

Data type: Boolean

Audit systemd components

  • Only takes effect on systems with systemd present

Default value: true

audit_systemd_tag

Data type: String[1]

Tag to be added to entries triggered by audit_systemd

Default value: 'systemd'

audit_crontab_cmd

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

audit_crontab_cmd_tag

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

audit_pam_timestamp_check_cmd

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

audit_pam_timestamp_check_cmd_tag

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

auditd::config::audit_profiles::stig

The defaults for this profile generate a set of audit rules that conform to automated DISA STIG compliance checks for RHEL7. Satisfying the checks, instead of the intent of the security requirements, necessitates unoptimized rules. These unoptimized rules, in turn, negatively impact system performance.

WARNING: These rules may overload your system and/or log server!

When auditd performance is an issue, you may wish to

  • Disable capabilities that, despite being required by DISA STIG for RHEL7, produce large amounts audit records of limited utility. chmod auditing for all non-service users falls in this category.

  • Use the optimized 'auditd::config::audit_profiles::simp' profile, instead. That profile is more comprehensive and performant.

Parameters

The following parameters are available in the auditd::config::audit_profiles::stig class:

uid_min

Data type: Integer[0]

The minimum UID for human users on the system. Any audit events generated by users below this number will be ignored unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: $::auditd::uid_min

audit_unsuccessful_file_operations

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

audit_unsuccessful_file_operations_tag

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

audit_chown

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

audit_chown_tag

Data type: String[1]

The tag to identify chown operations in an audit record

Default value: 'perm_mod'

audit_chmod

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: true

audit_chmod_tag

Data type: String[1]

The tag to identify chmod operations in an audit record

Default value: 'perm_mod'

audit_attr

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

audit_attr_tag

Data type: String[1]

The tag to identify xattr operations in an audit record

Default value: 'perm_mod'

audit_rename_remove

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: true

audit_rename_remove_tag

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

audit_suid_sgid

Data type: Boolean

Whether to audit setuid/setgid commands

Default value: true

default_suid_sgid_cmds

Data type: Array[String[1]]

The default list of setuid/setgid commands to be audited.

  • Should not include commands audited by other rules.
suid_sgid_cmds

Data type: Array[String[1]]

Additional list of setuid/setgid commands to be audited. You can use this to augment the $default_suid_sgid_cmds per your site's needs.

Default value: []

audit_suid_tag

Data type: String[1]

The tag to identify setuid command execution in an audit record

Default value: 'setuid'

audit_sgid_tag

Data type: String[1]

The tag to identify setgid command execution in an audit record

Default value: 'setgid'

audit_suid_sgid_tag

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record

Default value: "${audit_suid_tag}/${audit_sgid_tag}"

audit_kernel_modules

Data type: Boolean

Whether to audit kernel module operations

Default value: true

audit_kernel_modules_tag

Data type: String[1]

The tag to identify kernel module operations in an audit record

Default value: 'module-change'

audit_mount

Data type: Boolean

Whether to audit mount operations

Default value: true

audit_mount_tag

Data type: String[1]

The tag to identify mount operations in an audit record

Default value: 'privileged-mount'

audit_local_account

Data type: Boolean

Whether to audit local account changes

Default value: true

audit_local_account_tag

Data type: String[1]

The tag to identify local account changes in an audit record

Default value: 'identity'

audit_selinux_cmds

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: true

audit_selinux_cmds_tag

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

audit_login_files

Data type: Boolean

Whether to audit changes to login files

Default value: true

audit_login_files_tag

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

audit_cfg_sudoers

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

audit_cfg_sudoers_tag

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record

Default value: 'privileged-actions'

audit_passwd_cmds

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

audit_passwd_cmds_tag

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

audit_priv_cmds

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

audit_priv_cmds_tag

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

audit_postfix_cmds

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

audit_postfix_cmds_tag

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

audit_ssh_keysign_cmd

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

audit_ssh_keysign_cmd_tag

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

audit_crontab_cmd

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

audit_crontab_cmd_tag

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

audit_pam_timestamp_check_cmd

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

audit_pam_timestamp_check_cmd_tag

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

auditd::config::grub

Enables/disables auditing at boot time.

Parameters

The following parameters are available in the auditd::config::grub class:

enable

Data type: Boolean

Enable auditing in the kernel at boot time.

Default value: true

auditd::config::logging

NOTE: THIS IS A PRIVATE CLASS**

auditd::install

NOTE: THIS IS A PRIVATE CLASS**

auditd::service

NOTE: THIS IS A PRIVATE CLASS**

Parameters

The following parameters are available in the auditd::service class:

ensure

Data type: Variant[String[1],Boolean]

ensure state from the service resource

Default value: pick(getvar('auditd::enable'), 'running')

enable

Data type: Boolean

enable state from the service resource

Default value: pick(getvar('auditd::enable'), true)

bypass_kernel_check

Data type: Boolean

Do not check to see if the kernel is enforcing auditing before trying to manage the service.

  • This may be required if auditing is not being actively managed in the kernel and someone has stopped the auditd service by hand.

Default value: false

warn_if_reboot_required

Data type: Boolean

Add a reboot_notify warning if the system requires a reboot before the service can be managed.

Default value: true

Defined types

auditd::rule

All rules must be uniquely named. See auditctl(8) for more information on how to write the content for these rules.

  • Overrides all other ordering parameters

Parameters

The following parameters are available in the auditd::rule defined type:

name

A unique identifier for the audit rules.

content

Data type: Variant[Array[String[1]],String[1]]

The content of the rules that should be added.

  • Arrays will be joined with a newline
order

Data type: Optional[String[1]]

An alphanumeric (file system ordering) order string

Default value: undef

first

Data type: Boolean

Set this to 'true' if you want to prepend your custom rules (numeric 10)

Default value: false

absolute

Data type: Boolean

Set this to true if you want the added rules to be absolutely first or last depending on the setting of $first.

Default value: false

prepend

Data type: Boolean

Prepend this rule to all other rules (numeric 00).

Default value: false

Functions

auditd::calculate_space_left

Type: Puppet Language

Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.

auditd::calculate_space_left(Variant[Integer[0],Pattern['^\d+%$']] $admin_space_left)

The auditd::calculate_space_left function.

Returns: Variant[Integer[0],Pattern['^\d+%$']]

admin_space_left

Data type: Variant[Integer[0],Pattern['^\d+%$']]

auditd::get_array_index

Type: Ruby 4.x API

Terminates catalog compilation if the element is not found within the array.

auditd::get_array_index(String $element, Array $array, Optional[Integer] $min_digits)

Terminates catalog compilation if the element is not found within the array.

Returns: String Index of element in array represented as a string

Raises:

  • RuntimeError if element is not found within array
element

Data type: String

The element

array

Data type: Array

The array

min_digits

Data type: Optional[Integer]

The minimum number of digits the index should be. It will be '0'-padded to meet this number.

auditd::validate_init_params

Type: Puppet Language

Moved into a function to reduce class clutter.

Fails on discovered errors.

auditd::validate_init_params()

Moved into a function to reduce class clutter.

Fails on discovered errors.

Returns: None

Data types

Auditd::AuditProfile

Matches the types of auditd profiles allowed

Alias of Enum['built_in', 'simp', 'stig', 'custom']

Auditd::DiskErrorAction

Matches disk error actions in auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'exec', 'suspend', 'single', 'halt']

Auditd::DiskFullAction

Matches actions to take when disk is full (see auditd.conf)

Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'exec', 'suspend', 'single', 'halt']

Auditd::Flush

Matches actions flush in auditd.conf

Alias of Enum['NONE', 'INCREMENTAL', 'DATA', 'SYNC', 'INCREMENTAL_ASYNC', 'none', 'incremental', 'data', 'sync', 'incremental_async']

Auditd::LogFacility

Matches log facility that can be used in syslog.conf plugin

Alias of Enum['', 'LOG_LOCAL0', 'LOG_LOCAL1', 'LOG_LOCAL2', 'LOG_LOCAL3', 'LOG_LOCAL4', 'LOG_LOCAL5', 'LOG_LOCAL6', 'LOG_LOCAL7']

Auditd::LogFormat

Matches log formats that can be used in auditd.conf

Alias of Enum['RAW', 'ENRICHED', 'NOLOG', 'raw', 'enriched', 'nolog']

Auditd::LogPriority

Matches log priorities that can be used in syslog.conf plugin

Alias of Enum['LOG_DEBUG', 'LOG_INFO', 'LOG_NOTICE', 'LOG_WARNING', 'LOG_ERR', 'LOG_CRIT', 'LOG_ALERT', 'LOG_EMERG', 'LOG_AUTHPRIV']

Auditd::MaxLogFileAction

Matches available matches for maxlogfileaction in auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'ROTATE', 'KEEP_LOGS', 'ignore', 'syslog', 'suspend', 'rotate', 'keep_logs']

Auditd::NameFormat

Matche s available name formats in audotd.conf

Alias of Enum['NONE', 'HOSTNAME', 'FQD', 'NUMERIC', 'USER', 'none', 'hostname', 'fqd', 'numeric', 'user']

Auditd::OverflowAction

Matches overflow_action settings in auditd.conf or audisp.conf

Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'suspend', 'single', 'halt']

Auditd::RootAuditLevel

Matches root audit level settings in auditd.conf

Alias of Enum['basic', 'aggressive', 'insane']

Auditd::SpaceLeftAction

Matches spaceleftaction for auditd.conf

Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EMAIL', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'email', 'exec', 'suspend', 'single', 'halt']