Commit be6b1dd5 authored by Bill MacAllister's avatar Bill MacAllister
Browse files

Add in support for audisp-simplify

This summaries multiple lines of the audit log file nicely, but it
is not clear if it will satisfy the auditor's since there is not
connection to the original user for users that login using kerberos
to gain root access to the system.
parent d191a34a
......@@ -3,7 +3,7 @@
# dispatcher daemon, audispd.
#
q_depth = 10000
q_depth = 32767
overflow_action = SYSLOG
priority_boost = 4
max_restarts = 10
......
active = yes
direction = out
path = /usr/sbin/audisp-simplify
type = always
format = string
......@@ -6,17 +6,20 @@
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
-b 32767
# The following rules create log entries to be written whenever the
# rmdir, unlink, execve system calls exit. This will record file
# deletion and command line executions.
-a exit,always -F arch=b32 -S execve -k exec
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S link -S unlink -k filewrite
-a exit,always -F arch=b64 -S link -S unlink -k filewrite
-a exit,always -F arch=b32 -S mkdir -S rmdir -k filewrite
-a exit,always -F arch=b64 -S mkdir -S rmdir -k filewrite
-a exit,always -F arch=b32 -S execve -k EXEC
-a exit,always -F arch=b64 -S execve -k EXEC
-a exit,always -F arch=b64 -S bind -k BIND -F exit!=-2
-a exit,always -F arch=b64 -S connect -k CONNECT -F exit!=-2
-a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
-a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
-a exit,always -F arch=b64 -S link -S unlink -k FILEWRITE
-a exit,always -F arch=b32 -S mkdir -S rmdir -k FILEWRITE
-a exit,always -F arch=b64 -S mkdir -S rmdir -k FILEWRITE
# The following rules create log entries when the critical system
# files are created or deleted.
......
# audisp-simplify -- Rotate audisp-simplify logs
#
set logdir = /var/log/%n
set save = /var/log/OLD/%n
syslog {
log: audisp-simplify logdir root 0 644
archive: ldap save 30
}
......@@ -31,6 +31,7 @@ define audit::auditd (
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
$num_logs = 5,
$simplify = 'NONE',
$space_left = 5000,
$space_left_action = 'SYSLOG',
$ensure
......@@ -65,7 +66,7 @@ define audit::auditd (
# Where to send the audit
file {
'/etc/audisp/audispd.conf':
'/etc/audisp/audispd.conf':
source => 'puppet:///modules/audit/etc/audisp/audispd.conf',
require => Package['auditd'];
'/etc/audisp/plugins.d/au-remote.conf':
......@@ -76,13 +77,29 @@ define audit::auditd (
require => Package['auditd'];
}
# Test the simplification of auditd logging
if $simplify != 'NONE' {
package {
'stanford-auditd-tools': ensure => installed;
}
file {
'/etc/audisp/plugins.d/simplify.conf':
source => 'puppet:///modules/audit/etc/audisp/plugins.d/simplify.conf',
require => Package['auditd'];
'/etc/newsyslog.daily/audisp-simplify':
mode => 644,
source => "puppet:///modules/audit/etc/newsyslog.daily/audisp-simplify",
require => Package['newsyslog'];
}
}
# There appears to be a memory leak that is causing auditd to
# consume swap space. Restarting once a week fixes this.
file { '/etc/cron.d/auditd-restart':
ensure => present,
source => 'puppet:///modules/audit/etc/cron.d/auditd-restart',
}
# The only difference about a sink server is that it allows
# remote connections.
if $sink_server {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment