Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / auditd / 50a360f947f647bd39f893740eb9d907191ced52^! / . / metadata
commit50a360f947f647bd39f893740eb9d907191ced52[log] [tgz]
authorIvan Suzdal <isuzdal@mirantis.com>Mon Jun 04 16:07:41 2018 +0400
committerMykyta Karpin <mkarpin@mirantis.com>Fri Jun 08 10:12:46 2018 +0000
tree05e194c63628145dfc86493397536b126ad0f0f7
parentf334513922e916532215bc89959f01eb6c63c89a [diff]
Create auditd formula

According to linked prod's we need to create fully functional
auditd formula. This formula allows install and configure auditd, as
well as generate auditd rules and install/configure audisp
plugins if necessary.

Change-Id: Ieb6c889c7fceec7281e1ad019b1f07daf689c3f7
Related-PROD: https://mirantis.jira.com/browse/PROD-20233
Related-PROD: https://mirantis.jira.com/browse/PROD-20138

diff --git a/metadata/service/audisp/init.yml b/metadata/service/audisp/init.yml
new file mode 100644
index 0000000..432e5dc
--- /dev/null
+++ b/metadata/service/audisp/init.yml

@@ -0,0 +1,15 @@
+applications:
+- auditd
+classes:
+- service.auditd.support
+parameters:
+  auditd:
+    audisp:
+      plugins:
+        syslog:
+          active: 'yes'
+          direction: out
+          path: builtin_syslog
+          type: builtin
+          args: LOG_INFO
+          format: string

diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
new file mode 100644
index 0000000..8482c09
--- /dev/null
+++ b/metadata/service/rules/ciscat.yml

@@ -0,0 +1,115 @@
+applications:
+- auditd
+classes:
+- service.auditd.support
+parameters:
+  auditd:
+    rules:
+      options:
+        enabled: 1
+        bufsize: 8192
+      rules:
+        MAC_policy:
+          enabled: true
+          rule_list:
+            - '-w /etc/apparmor/ -p wa'
+            - '-w /etc/apparmor.d/ -p wa'
+        access:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+        actions:
+          enabled: true
+          rule_list:
+            - '-w /var/log/sudo.log -p wa'
+        delete:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+        identity:
+          enabled: true
+          rule_list:
+            - '-w /etc/group -p wa'
+            - '-w /etc/passwd -p wa'
+            - '-w /etc/gshadow -p wa'
+            - '-w /etc/shadow -p wa'
+            - '-w /etc/security/opasswd -p wa'
+        logins:
+          enabled: true
+          rule_list:
+            - '-w /var/log/faillog -p wa'
+            - '-w /var/log/lastlog -p wa'
+            - '-w /var/log/tallylog -p wa'
+        modules:
+          enabled: true
+          rule_list:
+            - '-w /sbin/insmod -p x'
+            - '-w /sbin/rmmod -p x'
+            - '-w /sbin/modprobe -p x'
+            - '-a always,exit -F arch=b64 -S init_module -S delete_module'
+        mounts:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
+        perm_mod:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+        privileged:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295'
+            - '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295'
+        scope:
+          enabled: true
+          rule_list:
+            - '-w /etc/sudoers -p wa'
+            - '-w /etc/sudoers.d -p wa'
+        session:
+          enabled: true
+          rule_list:
+            - '-w /var/run/utmp -p wa'
+            - '-w /var/log/wtmp -p wa'
+            - '-w /var/log/btmp -p wa'
+        system_locale:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
+            - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
+            - '-w /etc/issue -p wa'
+            - '-w /etc/issue.net -p wa'
+            - '-w /etc/hosts -p wa'
+            - '-w /etc/network -p wa'
+            - '-w /etc/networks -p wa'
+        time_change:
+          enabled: true
+          rule_list:
+            - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
+            - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
+            - '-a always,exit -F arch=b64 -S clock_settime'
+            - '-a always,exit -F arch=b32 -S clock_settime'
+            - '-w /etc/localtime -p wa'

diff --git a/metadata/service/server/init.yml b/metadata/service/server/init.yml
new file mode 100644
index 0000000..4632e12
--- /dev/null
+++ b/metadata/service/server/init.yml

@@ -0,0 +1,32 @@
+applications:
+- auditd
+classes:
+- service.auditd.support
+parameters:
+  auditd:
+    service:
+      enabled: true
+      log_file: /var/log/audit/audit.log
+      log_format: RAW
+      log_group: root
+      priority_boost: 4
+      flush: INCREMENTAL
+      freq: 20
+      num_logs: 5
+      disp_qos: lossy
+      dispatcher: /sbin/audispd
+      name_format: NONE
+      max_log_file: 6
+      max_log_file_action: ROTATE
+      space_left: 75
+      space_left_action: SYSLOG
+      action_mail_acct: root
+      admin_space_left: 50
+      admin_space_left_action: SUSPEND
+      disk_full_action: SUSPEND
+      disk_error_action: SUSPEND
+      tcp_listen_queue: 5
+      tcp_max_per_addr: 1
+      tcp_client_max_idle: 0
+      enable_krb5: 'no'
+      krb5_principal: auditd

diff --git a/metadata/service/support.yml b/metadata/service/support.yml
new file mode 100644
index 0000000..099b032
--- /dev/null
+++ b/metadata/service/support.yml

@@ -0,0 +1,18 @@
+parameters:
+  auditd:
+    _support:
+      collectd:
+        enabled: true
+      heka:
+        enabled: true
+      sensu:
+        enabled: false
+      sphinx:
+        enabled: false
+      grafana:
+        enabled: true
+      telegraf:
+        enabled: true
+      prometheus:
+        enabled: true
+