Commit d191a34a authored by Bill MacAllister's avatar Bill MacAllister
Browse files

Initial release of shared module, release/001.001

parents
release/001.001 (2015-02-17)
Initial release of auditd puppet support. (whm)
#
# This file controls the configuration of the audit event
# dispatcher daemon, audispd.
#
q_depth = 10000
overflow_action = SYSLOG
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME
#name = mydomain
# This file controls the audispd data path to the
# remote event logger. This plugin will send events to
# a remote machine (Central Logger).
active = yes
direction = out
path = /sbin/audisp-remote
type = always
#args =
format = string
# auditctl rules that are loaded whenever the audit daemon is
# started via the initscripts.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
# The following rules create log entries to be written whenever the
# rmdir, unlink, execve system calls exit. This will record file
# deletion and command line executions.
-a exit,always -F arch=b32 -S execve -k exec
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S link -S unlink -k filewrite
-a exit,always -F arch=b64 -S link -S unlink -k filewrite
-a exit,always -F arch=b32 -S mkdir -S rmdir -k filewrite
-a exit,always -F arch=b64 -S mkdir -S rmdir -k filewrite
# The following rules create log entries when the critical system
# files are created or deleted.
-w /bin -p wa -k binfiles
-w /sbin -p wa -k binfiles
-w /usr/bin -p wa -k binfiles
-w /usr/sbin -p wa -k binfiles
-w /etc/audit -p wa -k sysfiles
-w /etc/krb5.conf -p wa -k sysfiles
-w /etc/krb5.keytab -p wa -k sysfiles
-w /etc/pam.d -p wa -k sysfiles
-w /etc/passwd -p wa -k sysfiles
-w /etc/remctl/acl -p wa -k sysfiles
-w /etc/shadow -p wa -k sysfiles
-w /etc/ssh -p wa -k sysfiles
# Disable adding any additional rules - note that adding *new* rules
# will require a reboot
-e 2
# Restart auditd to reclaim swap space
#
#min hr day mon dow user command
#--- -- --- --- --- ---- ---------------------------------------------
16 1 * * 6 root /etc/init.d/auditd restart
#
##############################################################################
# System auditing using auditd
##############################################################################
#
# This module configures auditd to record critical events on a Linux
# system and send the record of the events to a central logging
# server. The connection to the central server is protected by
# GSSAPI.
#
# For the central logging server the sink_server variable should be set to
# true. For the client servers server no configuration is require as long
# as the sink server default is acceptable.
#
# Example sink server:
#
# audit::auditd { "${::hostname}.stanford.edu":
# ensure => present,
# sink_server => true,
# }
#
# Example client server:
#
# audit::auditd { "{$::hostname}.stanford.edu": ensure => present }
define audit::auditd (
$client_source_port = '650',
$remote_server = 'laudit.stanford.edu',
$server_listen_port = '6650',
$server_remote_port = '650',
$sink_server = false,
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
$num_logs = 5,
$space_left = 5000,
$space_left_action = 'SYSLOG',
$ensure
) {
case $ensure {
'present': {
package {
'auditd': ensure => installed;
'audispd-plugins': ensure => installed;
}
# Keytab for secure communications
base::wallet { "auditd/${::hostname}.stanford.edu":
path => '/etc/audit/auditd.keytab',
owner => 'root',
mode => 400,
primary => true,
ensure => present,
}
# What to audit
file {
'/etc/audit/audit.rules':
source => 'puppet:///modules/audit/etc/audit/audit.rules',
require => Package['auditd'];
'/etc/audit/auditd.conf':
content => template('audit/etc/audit/auditd.conf.erb'),
require => Package['auditd'];
}
# Where to send the audit
file {
'/etc/audisp/audispd.conf':
source => 'puppet:///modules/audit/etc/audisp/audispd.conf',
require => Package['auditd'];
'/etc/audisp/plugins.d/au-remote.conf':
source => 'puppet:///modules/audit/etc/audisp/plugins.d/au-remote.conf',
require => Package['auditd'];
'/etc/audisp/audisp-remote.conf':
content => template('audit/etc/audisp/audisp-remote.conf.erb'),
require => Package['auditd'];
}
# There appears to be a memory leak that is causing auditd to
# consume swap space. Restarting once a week fixes this.
file { '/etc/cron.d/auditd-restart':
ensure => present,
source => 'puppet:///modules/audit/etc/cron.d/auditd-restart',
}
# The only difference about a sink server is that it allows
# remote connections.
if $sink_server {
base::iptables::rule {
'auditd':
ensure => 'present',
description => 'Central audispd logging',
port => ["$server_listen_port"],
protocol => 'tcp';
}
}
}
'absent': {
package {
'auditd': ensure => absent;
'audispd-plugins': ensure => absent;
}
file {
'/etc/audit/auditd.keytab': ensure => absent;
'/etc/audit/audit.rules': ensure => absent;
'/etc/audit/auditd.conf': ensure => absent;
'/etc/audisp/audispd.conf': ensure => absent;
'/etc/audisp/plugins.d/au-remote.conf': ensure => absent;
'/etc/audisp/audisp-remote.conf': ensure => absent;
}
}
default: {
fail('Call to audit::auditd does not include ensure')
}
}
}
#
# This file controls the configuration of the audit remote
# logging subsystem, audisp-remote.
#
remote_server = <%= @remote_server %>
port = <%= @server_listen_port %>
local_port = <%= @client_source_port %>
transport = tcp
mode = immediate
queue_depth = 200
format = managed
network_retry_time = 1
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 0
network_failure_action = stop
disk_low_action = ignore
disk_full_action = ignore
disk_error_action = syslog
remote_ending_action = suspend
generic_error_action = syslog
generic_warning_action = syslog
enable_krb5 = yes
krb5_client_name = auditd
krb5_key_file = /etc/audit/auditd.keytab
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
max_log_file = <%= @max_log_file %>
max_log_file_action = <%= @max_log_file_action %>
num_logs = <%= @num_logs %>
space_left = <%= @space_left %>
space_left_action = <%= @space_left_action %>
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port = <%= @server_listen_port %>
tcp_client_ports = <%= @server_remote_port %>
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = yes
krb5_principal = auditd
krb5_key_file = /etc/audit/auditd.keytab
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment