From dc88409f73b45ce48ebda6a43df0bc005b472f10 Mon Sep 17 00:00:00 2001 From: Dennis Lerch Date: Thu, 13 Jul 2023 10:07:49 +0200 Subject: [PATCH 1/3] make template overrideable by referencing the auditd.conf.j2 template, a custom template can be provided to the role. Signed-off-by: Dennis Lerch --- roles/os_hardening/defaults/main.yml | 1 + roles/os_hardening/tasks/auditd.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 77de4bffe..859865392 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -332,6 +332,7 @@ os_hardening_enabled: true # Set to false to disable installing and configuring auditd. os_auditd_enabled: true +os_auditd_template: etc/audit/auditd.conf.j2 os_auditd_flush: INCREMENTAL os_auditd_max_log_file: 6 os_auditd_max_log_file_action: keep_logs diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml index d24a694be..b26554ff2 100644 --- a/roles/os_hardening/tasks/auditd.yml +++ b/roles/os_hardening/tasks/auditd.yml @@ -7,7 +7,7 @@ - name: Configure auditd | package-08 ansible.builtin.template: - src: etc/audit/auditd.conf.j2 + src: "{{ os_auditd_template }}" dest: /etc/audit/auditd.conf owner: root group: root From efa094976f830e43ae5758c6ad723fb26f85eb70 Mon Sep 17 00:00:00 2001 From: Dennis Lerch Date: Thu, 13 Jul 2023 10:08:32 +0200 Subject: [PATCH 2/3] extend auditd config make freq and log_file configurable implement write_logs with it's default value in order to be able to disable log writing Signed-off-by: Dennis Lerch --- roles/os_hardening/defaults/main.yml | 3 +++ roles/os_hardening/templates/etc/audit/auditd.conf.j2 | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 859865392..20392185f 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -334,8 +334,11 @@ os_hardening_enabled: true os_auditd_enabled: true os_auditd_template: etc/audit/auditd.conf.j2 os_auditd_flush: INCREMENTAL +os_auditd_freq: 20 os_auditd_max_log_file: 6 os_auditd_max_log_file_action: keep_logs +os_auditd_write_logs: true +os_auditd_log_file: /var/log/audit/audit.log os_auditd_log_format: RAW os_auditd_admin_space_left: 50 os_auditd_space_left: 75 diff --git a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 b/roles/os_hardening/templates/etc/audit/auditd.conf.j2 index d12043b38..e3440e0b2 100644 --- a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 +++ b/roles/os_hardening/templates/etc/audit/auditd.conf.j2 @@ -1,12 +1,13 @@ {{ ansible_managed | comment }} # Generated by Ansible role {{ ansible_role_name }} -log_file = /var/log/audit/audit.log +write_logs = {{ os_auditd_write_logs | bool | ternary('yes', 'no') }} +log_file = {{ os_auditd_log_file }} log_format = {{ os_auditd_log_format }} log_group = {{ os_auditd_log_group }} priority_boost = 4 flush = {{ os_auditd_flush }} -freq = 20 +freq = {{ os_auditd_freq }} num_logs = {{ os_auditd_num_logs }} disp_qos = lossy dispatcher = /sbin/audispd From 8c7ac3b6f862b07100ee5ebaefd0f8cc8e0317bf Mon Sep 17 00:00:00 2001 From: Dennis Lerch Date: Mon, 24 Jul 2023 10:38:32 +0200 Subject: [PATCH 3/3] Extend README.md documentation by new variables reorder `os_auditd_log_format` to keep sequence from defaults Signed-off-by: Dennis Lerch --- roles/os_hardening/README.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 6844eb1db..74fc71b93 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -219,6 +219,9 @@ We know that this is the case on Raspberry Pi. - `os_auditd_enabled` - Default: `true` - Description: Set to false to disable installing and configuring auditd. +- `os_auditd_template` + - Default: `etc/audit/auditd.conf.j2` + - Description: Template file to use for auditd.conf. By overwriting this value, a custom auditd.conf template can be provided. Put a `templates` directory next to your playbook with a custom template in it (e.q. `myauditd.conf.j2`) and set this variable to your template. - `os_auditd_max_log_file_action` - Default: `keep_logs` - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. @@ -321,12 +324,24 @@ We know that this is the case on Raspberry Pi. - `os_auditd_flush` - Default: `INCREMENTAL` - Description: Valid values are none, incremental, incremental_async, data, and sync. +- `os_auditd_freq` + - Default: `20` + - Description: Specify number of records to write before issuing an explicit flush to disk command. This value is only valid when the flush keyword is set to incremental or incremental_async. - `os_auditd_max_log_file` - Default: 6 - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. - `os_auditd_max_log_file_action` - Default: `keep_logs` - Description: This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. Valid values are ignore, syslog, suspend, rotate and keep_logs. +- `os_auditd_write_logs` + - Default: `true` + - Description: Set to false in order to disable writing logs to disk. +- `os_auditd_log_file` + - Default: `/var/log/audit/audit.log` + - Description: Specify the full path name to the log file where audit records will be stored. It must be a regular file. +- `os_auditd_log_format` + - Default: `RAW` + - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system. - `os_auditd_admin_space_left` - Default: 50 - Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. @@ -339,9 +354,6 @@ We know that this is the case on Raspberry Pi. - `os_auditd_action_mail_acct` - Default: root - Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. If the address or alias is not local, requires email properly configured on the machine and network. -- `os_auditd_log_format` - - Default: `RAW` - - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system. - `os_mnt_boot_dir_mode` - Default: `0700` - Description: Set default perimissions for /boot