Commit 99cacb70 authored by Jonathan Lent's avatar Jonathan Lent
Browse files

Commenting out BIND and CONNECT, simplify.ignore enhancement

parent e8373e58
......@@ -13,8 +13,9 @@
# deletion and command line executions.
-a exit,always -F arch=b32 -S execve -k EXEC
-a exit,always -F arch=b64 -S execve -k EXEC
-a exit,always -F arch=b64 -S bind -k BIND -F exit!=-2
-a exit,always -F arch=b64 -S connect -k CONNECT -F exit!=-2
# Uncomment if you want BIND and CONNECT events to be logged
#-a exit,always -F arch=b64 -S bind -k BIND -F exit!=-2
#-a exit,always -F arch=b64 -S connect -k CONNECT -F exit!=-2
-a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
-a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
-a exit,always -F arch=b64 -S link -S unlink -k FILEWRITE
......
......@@ -18,6 +18,7 @@
define audit::auditd (
$content = 'NONE',
$source = 'NONE',
$source_simplify = 'NONE',
$client_source_port = '650',
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
......@@ -90,6 +91,7 @@ define audit::auditd (
file {
'/etc/audisp/plugins.d/simplify.conf': ensure => absent;
'/etc/newsyslog.daily/audisp-simplify': ensure => absent;
'/etc/audisp/simplify.ignores': ensure => absent;
}
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
......@@ -109,6 +111,13 @@ define audit::auditd (
source => "$afile/etc/newsyslog.daily/audisp-simplify",
require => Package['newsyslog'];
}
# Allow custom simplify.ignores
if $simplify_ignores != 'NONE' {
file { '/etc/audisp/simplify.ignores':
source => $simplify_ignores,
require => Package['stanford-auditd-tools'],
}
}
# Send audisp-simplify to syslog server
if $simplify_syslog == 'NONE' {
base::syslog::fragment {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment