Classes
Public Classes
security_baseline_auditd: Security baseline and configuration for auditd
Private Classes
security_baseline_auditd::rules: Wrapper class around all audit checkssecurity_baseline_auditd::rules::access: Ensure unsuccessful unauthorized file access attempts are collected (Scored)security_baseline_auditd::rules::actions: Ensure system administrator actions (sudolog) are collected (Scored)security_baseline_auditd::rules::delete: Ensure file deletion events by users are collected (Scored)security_baseline_auditd::rules::identity: Ensure events that modify user/group information are collected (Scored)security_baseline_auditd::rules::immutable: Ensure the audit configuration is immutable (Scored)security_baseline_auditd::rules::logins: Ensure login and logout events are collected (Scored)security_baseline_auditd::rules::mac_policy: Ensure events that modify the system's Mandatory Access Controls are collected (Scored)security_baseline_auditd::rules::modules: Ensure kernel module loading and unloading is collected (Scored)security_baseline_auditd::rules::mounts: Ensure successful file system mounts are collected (Scored)security_baseline_auditd::rules::perm_mod: Ensure discretionary access control permission modification events are collected (Scored)security_baseline_auditd::rules::privileged_commands: Ensure use of privileged commands is collected (Scored)security_baseline_auditd::rules::scope: Ensure changes to system administration scope (sudoers) is collected (Scored)security_baseline_auditd::rules::session: Ensure session initiation information is collected (Scored)security_baseline_auditd::rules::system_locale: Ensure events that modify the system's network environment are collected (Scored)security_baseline_auditd::rules::time_change: Ensure events that modify date and time information are collected (Scored)
System auditing, through auditd, allows system administrators to monitor their systems such that they can detect unauthorized access or modification of data. By default, auditd will audit SELinux AVC denials, system logins, account modifications, and authentication events. Events will be logged to /var/log/audit/audit.log. The recording of these events will use a modest amount of disk space on a system. If significantly more events are captured, additional on system or off system storage may need to be allocated.
The recommendations in this section implement an audit policy that produces large quantities of logged data. In some environments it can be challenging to store or process these logs and as such they are marked as Level 2 for both Servers and Workstations. Note: For 64 bit systems that have arch as a rule parameter, you will need two rules: one for 64 bit and one for 32 bit systems. For 32 bit systems, only one rule is needed.
include security_baseline_auditd::ecurity_baseline_auditdThe following parameters are available in the security_baseline_auditd class.
Data type: Boolean
Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.
Default value: true
Data type: String
Message to print into the log
Default value: ''
Data type: String
Loglevel for the message
Default value: 'info'
Data type: String
Logfile to log into
Default value: ''
Data type: Integer
Maximal log file size
Default value: 32
Data type: String
What to do when space get low
Default value: 'email'
Data type: String
This option should contain a valid email address or alias. The default address is root. If the email address is not local to the machine, you must make sure you have email properly configured on your machine and network. Also, this option requires that /usr/lib/sendmail exists on the machine.
Default value: 'root'
Data type: String
This parameter tells the system what action to take when the system has detected that it is low on disk space.
Default value: 'halt'
Data type: String
This parameter tells the system what action to take when the system has detected that the max file size limit has been reached.
Default value: 'keep_logs'