| Ivan Suzdal | 50a360f | 2018-06-04 16:07:41 +0400 | [diff] [blame^] | 1 | |
| 2 | ================================== |
| 3 | Auditd Formula |
| 4 | ================================== |
| 5 | |
| 6 | The Linux Audit system provides a way to track security-relevant information on |
| 7 | your system. Based on pre-configured rules, Audit generates log entries to |
| 8 | record as much information about the events that are happening on your system |
| 9 | as possible. This information is crucial for mission-critical environments to |
| 10 | determine the violator of the security policy and the actions they performed. |
| 11 | Audit does not provide additional security to your system; rather, it can be |
| 12 | used to discover violations of security policies used on your system. |
| 13 | These violations can further be prevented by additional security |
| 14 | measures such as SELinux. |
| 15 | |
| 16 | |
| 17 | |
| 18 | Sample Metadata |
| 19 | =============== |
| 20 | |
| 21 | Single auditd service |
| 22 | |
| 23 | .. code-block:: yaml |
| 24 | auditd: |
| 25 | service: |
| 26 | enabled: true |
| 27 | log_file: /var/log/audit/audit.log |
| 28 | log_format: NOLOG |
| 29 | log_group: root |
| 30 | priority_boost: 4 |
| 31 | flush: INCREMENTAL |
| 32 | freq: 20 |
| 33 | num_logs: 5 |
| 34 | disp_qos: lossy |
| 35 | dispatcher: /sbin/audispd |
| 36 | name_format: HOSTNAME |
| 37 | max_log_file: 6 |
| 38 | max_log_file_action: ROTATE |
| 39 | space_left: 75 |
| 40 | space_left_action: SYSLOG |
| 41 | action_mail_acct: root |
| 42 | admin_space_left: 50 |
| 43 | admin_space_left_action: SUSPEND |
| 44 | disk_full_action: SUSPEND |
| 45 | disk_error_action: SUSPEND |
| 46 | tcp_listen_queue: 5 |
| 47 | tcp_max_per_addr: 1 |
| 48 | tcp_client_max_idle: 0 |
| 49 | enable_krb5: 'no' |
| 50 | krb5_principal: auditd |
| 51 | audisp: |
| 52 | enabled: true |
| 53 | rules: |
| 54 | options: |
| 55 | enabled: 0 |
| 56 | bufsize: 8192 |
| 57 | rules: |
| 58 | some_rule_key: |
| 59 | enabled: true |
| 60 | rule_list: |
| 61 | - '-w /etc/passwd -p wa' |
| 62 | - '-a always,exit -F arch=b64 -S mount' |
| 63 | |
| 64 | |
| 65 | References |
| 66 | ========= |
| 67 | https://github.com/linux-audit/audit-documentation/wiki |
| 68 | https://linux-audit.com |
| 69 | https://github.com/linux-audit/audit-userspace |
| 70 | |
| 71 | Documentation and Bugs |
| 72 | ====================== |
| 73 | |
| 74 | To learn how to install and update salt-formulas, consult the documentation |
| 75 | available online at: |
| 76 | |
| 77 | http://salt-formulas.readthedocs.io/ |
| 78 | |
| 79 | In the unfortunate event that bugs are discovered, they should be reported to |
| 80 | the appropriate issue tracker. Use GitHub issue tracker for specific salt |
| 81 | formula: |
| 82 | |
| 83 | https://github.com/salt-formulas/salt-formula-auditd/issues |
| 84 | |
| 85 | For feature requests, bug reports or blueprints affecting entire ecosystem, |
| 86 | use Launchpad salt-formulas project: |
| 87 | |
| 88 | https://launchpad.net/salt-formulas |
| 89 | |
| 90 | Developers wishing to work on the salt-formulas projects should always base |
| 91 | their work on master branch and submit pull request against specific formula. |
| 92 | |
| 93 | You should also subscribe to mailing list (salt-formulas@freelists.org): |
| 94 | |
| 95 | https://www.freelists.org/list/salt-formulas |
| 96 | |
| 97 | Any questions or feedback is always welcome so feel free to join our IRC |
| 98 | channel: |
| 99 | |
| 100 | #salt-formulas @ irc.freenode.net |