Commit e342ae6d authored by Bill MacAllister's avatar Bill MacAllister
Browse files

audit: Remove use of auditd message transport

Use syslog to send audit data to central syslog host.
parent e05221c0
release/001.005 (2015-02-25)
Remove use of auditd message protocol. Use syslog to send audit
data to central logging host. (whm)
release/001.004 (2015-02-25)
Remove file inadvertently left in rsyslog.d. (whm)
......
......@@ -8,5 +8,4 @@ overflow_action = SYSLOG
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME
#name = mydomain
# This file controls the audispd data path to the
# remote event logger. This plugin will send events to
# a remote machine (Central Logger).
active = yes
direction = out
path = /sbin/audisp-remote
type = always
#args =
format = string
# This file controls the configuration of the
# syslog plugin. It simply takes events and writes
# them to syslog.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
......@@ -28,6 +28,7 @@
-w /usr/bin -p wa -k binfiles
-w /usr/sbin -p wa -k binfiles
-w /etc/audit -p wa -k sysfiles
-w /etc/audisp -p wa -k sysfiles
-w /etc/krb5.conf -p wa -k sysfiles
-w /etc/krb5.keytab -p wa -k sysfiles
-w /etc/pam.d -p wa -k sysfiles
......@@ -35,6 +36,8 @@
-w /etc/remctl/acl -p wa -k sysfiles
-w /etc/shadow -p wa -k sysfiles
-w /etc/ssh -p wa -k sysfiles
-w /etc/shadow -p wa -k sysfiles
-w /etc/ssh -p wa -k sysfiles
# Disable adding any additional rules - note that adding *new* rules
# will require a reboot
......
......@@ -24,15 +24,11 @@
define audit::auditd (
$client_source_port = '650',
$remote_server = 'laudit.stanford.edu',
$server_listen_port = '6650',
$server_remote_port = '650',
$sink_server = false,
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
$num_logs = 5,
$simplify = 'true',
$simplify_syslog = 'logsink.stanford.edu',
$syslog_server = 'logsink.stanford.edu',
$space_left = 5000,
$space_left_action = 'SYSLOG',
$ensure
......@@ -50,15 +46,6 @@ define audit::auditd (
'audispd-plugins': ensure => installed;
}
# Keytab for secure communications
base::wallet { "auditd/${::hostname}.stanford.edu":
path => '/etc/audit/auditd.keytab',
owner => 'root',
mode => 400,
primary => true,
ensure => present,
}
# What to audit
file {
'/etc/audit/audit.rules':
......@@ -74,14 +61,16 @@ define audit::auditd (
'/etc/audisp/audispd.conf':
source => "$afile/etc/audisp/audispd.conf",
require => Package['auditd'];
'/etc/audisp/plugins.d/au-remote.conf':
source => "$afile/etc/audisp/plugins.d/au-remote.conf",
require => Package['auditd'];
'/etc/audisp/audisp-remote.conf':
content => template('audit/etc/audisp/audisp-remote.conf.erb'),
'/etc/audisp/plugins.d/syslog.conf':
source => "$afile/etc/audisp/plugins.d/syslog.conf",
require => Package['auditd'];
}
base::syslog::fragment {
'50-audisp-remote.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
}
# Test the simplification of auditd logging
if $simplify == 'NONE' {
package { 'stanford-auditd-tools': ensure => absent }
......@@ -136,18 +125,6 @@ define audit::auditd (
ensure => present,
source => 'puppet:///modules/audit/etc/cron.d/auditd-restart',
}
# The only difference about a sink server is that it allows
# remote connections.
if $sink_server {
base::iptables::rule {
'auditd':
ensure => 'present',
description => 'Central audispd logging',
port => ["$server_listen_port"],
protocol => 'tcp';
}
}
}
'absent': {
......@@ -160,8 +137,6 @@ define audit::auditd (
'/etc/audit/audit.rules': ensure => absent;
'/etc/audit/auditd.conf': ensure => absent;
'/etc/audisp/audispd.conf': ensure => absent;
'/etc/audisp/plugins.d/au-remote.conf': ensure => absent;
'/etc/audisp/audisp-remote.conf': ensure => absent;
}
}
......
......@@ -2,14 +2,14 @@
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
disp_qos = lossy
dispatcher = /sbin/audispd
flush = INCREMENTAL
freq = 20
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
......@@ -19,18 +19,12 @@ num_logs = <%= @num_logs %>
space_left = <%= @space_left %>
space_left_action = <%= @space_left_action %>
action_mail_acct = root
admin_space_left = 50
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port = <%= @server_listen_port %>
tcp_client_ports = <%= @server_remote_port %>
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = yes
enable_krb5 = no
krb5_principal = auditd
krb5_key_file = /etc/audit/auditd.keytab
krb5_key_file = /etc/audit/auditd.keytab
......@@ -3,7 +3,7 @@
if $syslogtag == "<%= @syslog_tag %>" then {
action(type="omfwd"
name = "<%= @syslog_tag %>Remote"
Target = "<%= @simplify_syslog %>"
Target = "<%= @syslog_server %>"
Port = "10514"
protocol = "tcp"
queue.Type = "LinkedList"
......
# Write auditd messages to central syslog server. The auditd process
# write the messages locally so rsyslog does not need to.
if $programname == 'audispd' then {
action(type = "omfwd"
name = "<%= @syslog_tag %>Remote"
Target = "<%= @syslog_server %>"
Port = "10514"
Protocol = "tcp"
queue.Type = "LinkedList"
queue.FileName = "ldapRemote"
queue.size = "4000000"
queue.HighWaterMark = "3000000"
queue.LowWaterMark = "10000"
queue.WorkerThreads = "10"
queue.TimeoutEnqueue = "0"
queue.MaxDiskSpace = "2g"
queue.MaxFileSize = "100m"
action.ResumeRetryCount = "-1"
template = "ForwardFormat")
stop
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment