| Ivan Suzdal | 50a360f | 2018-06-04 16:07:41 +0400 | [diff] [blame] | 1 | |
| 2 | ================================== |
| 3 | Auditd Formula |
| 4 | ================================== |
| 5 | |
| 6 | The Linux Audit system provides a way to track security-relevant information on |
| 7 | your system. Based on pre-configured rules, Audit generates log entries to |
| 8 | record as much information about the events that are happening on your system |
| 9 | as possible. This information is crucial for mission-critical environments to |
| 10 | determine the violator of the security policy and the actions they performed. |
| 11 | Audit does not provide additional security to your system; rather, it can be |
| 12 | used to discover violations of security policies used on your system. |
| 13 | These violations can further be prevented by additional security |
| 14 | measures such as SELinux. |
| 15 | |
| Ivan Suzdal | 91e0245 | 2018-06-20 12:33:16 +0400 | [diff] [blame] | 16 | Please, be aware of one *feature*. |
| 17 | If you enable auditd.rules.rules.privileged it will dynamically generate a list |
| 18 | of binaries which have suid/sgid bit for all mounted file systems which do not |
| 19 | have **nosuid** or **noexec** mount option (except the *special* file systems |
| 20 | such as **sysfs**, **nsfs**, **cgroup**, **proc** and so one). |
| Ivan Suzdal | 9f9fbf4 | 2018-07-11 18:27:25 +0400 | [diff] [blame] | 21 | The list of such *special* file systems can be configured |
| 22 | with auditd:rules:filter_fs pillar. |
| 23 | |
| Ivan Suzdal | 91e0245 | 2018-06-20 12:33:16 +0400 | [diff] [blame] | 24 | It was done because it is nearly impossible to create that list manually. It |
| 25 | always will differ from one installation to another. |
| 26 | This behavior can not be changed but it can be extended manually by putting |
| Ivan Suzdal | 9f9fbf4 | 2018-07-11 18:27:25 +0400 | [diff] [blame] | 27 | necessary rules into the **rule_list** list. |
| 28 | |
| 29 | Also it is possible to add paths which will be filtered in search. It implements |
| 30 | the idea of *white lists* but on a directory level, not for a particular file. |
| 31 | It can be configured with auditd:rules:filter_paths pillar. |
| Ivan Suzdal | 50a360f | 2018-06-04 16:07:41 +0400 | [diff] [blame] | 32 | |
| 33 | |
| 34 | Sample Metadata |
| 35 | =============== |
| 36 | |
| 37 | Single auditd service |
| 38 | |
| 39 | .. code-block:: yaml |
| 40 | auditd: |
| 41 | service: |
| 42 | enabled: true |
| 43 | log_file: /var/log/audit/audit.log |
| 44 | log_format: NOLOG |
| 45 | log_group: root |
| 46 | priority_boost: 4 |
| 47 | flush: INCREMENTAL |
| 48 | freq: 20 |
| 49 | num_logs: 5 |
| 50 | disp_qos: lossy |
| 51 | dispatcher: /sbin/audispd |
| 52 | name_format: HOSTNAME |
| 53 | max_log_file: 6 |
| 54 | max_log_file_action: ROTATE |
| 55 | space_left: 75 |
| 56 | space_left_action: SYSLOG |
| 57 | action_mail_acct: root |
| 58 | admin_space_left: 50 |
| 59 | admin_space_left_action: SUSPEND |
| 60 | disk_full_action: SUSPEND |
| 61 | disk_error_action: SUSPEND |
| 62 | tcp_listen_queue: 5 |
| 63 | tcp_max_per_addr: 1 |
| 64 | tcp_client_max_idle: 0 |
| 65 | enable_krb5: 'no' |
| 66 | krb5_principal: auditd |
| 67 | audisp: |
| 68 | enabled: true |
| 69 | rules: |
| 70 | options: |
| 71 | enabled: 0 |
| 72 | bufsize: 8192 |
| 73 | rules: |
| Ivan Suzdal | 1c3ec8d | 2018-07-30 10:11:54 +0400 | [diff] [blame] | 74 | 1: |
| 75 | key: some_rule_key |
| Ivan Suzdal | 50a360f | 2018-06-04 16:07:41 +0400 | [diff] [blame] | 76 | enabled: true |
| 77 | rule_list: |
| 78 | - '-w /etc/passwd -p wa' |
| 79 | - '-a always,exit -F arch=b64 -S mount' |
| 80 | |
| Oleksii Chupryn | 509fe27 | 2018-06-12 13:39:26 +0300 | [diff] [blame] | 81 | Auditd service with syslog plugin configuration |
| 82 | |
| 83 | .. code-block:: yaml |
| 84 | |
| 85 | auditd: |
| 86 | service: |
| 87 | enabled: true |
| 88 | log_format: NOLOG |
| 89 | ... |
| 90 | audisp: |
| 91 | enabled: true |
| 92 | plugins: |
| 93 | syslog: |
| 94 | active: 'yes' |
| 95 | direction: out |
| 96 | path: builtin_syslog |
| 97 | type: builtin |
| 98 | args: 'LOG_INFO LOG_LOCAL6' |
| 99 | format: string |
| Ivan Suzdal | 50a360f | 2018-06-04 16:07:41 +0400 | [diff] [blame] | 100 | |
| 101 | References |
| 102 | ========= |
| 103 | https://github.com/linux-audit/audit-documentation/wiki |
| 104 | https://linux-audit.com |
| 105 | https://github.com/linux-audit/audit-userspace |
| 106 | |
| 107 | Documentation and Bugs |
| 108 | ====================== |
| 109 | |
| 110 | To learn how to install and update salt-formulas, consult the documentation |
| 111 | available online at: |
| 112 | |
| 113 | http://salt-formulas.readthedocs.io/ |
| 114 | |
| 115 | In the unfortunate event that bugs are discovered, they should be reported to |
| 116 | the appropriate issue tracker. Use GitHub issue tracker for specific salt |
| 117 | formula: |
| 118 | |
| 119 | https://github.com/salt-formulas/salt-formula-auditd/issues |
| 120 | |
| 121 | For feature requests, bug reports or blueprints affecting entire ecosystem, |
| 122 | use Launchpad salt-formulas project: |
| 123 | |
| 124 | https://launchpad.net/salt-formulas |
| 125 | |
| 126 | Developers wishing to work on the salt-formulas projects should always base |
| 127 | their work on master branch and submit pull request against specific formula. |
| 128 | |
| 129 | You should also subscribe to mailing list (salt-formulas@freelists.org): |
| 130 | |
| 131 | https://www.freelists.org/list/salt-formulas |
| 132 | |
| 133 | Any questions or feedback is always welcome so feel free to join our IRC |
| 134 | channel: |
| 135 | |
| 136 | #salt-formulas @ irc.freenode.net |