Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable auditd and config it according to CIS DIL Benchmark #139

Closed
wants to merge 36 commits into from
Closed

Enable auditd and config it according to CIS DIL Benchmark #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
c5d16f5
WIP.
timstoop Jun 11, 2018
64045da
Hopefully fix the regex escaping.
timstoop Jun 11, 2018
2be8147
Fix service and dependencies.
timstoop Jun 11, 2018
7ad580f
Add actual command we want to use.
timstoop Jun 11, 2018
588c434
Update grub config.
timstoop Jun 11, 2018
b33440f
Add CIS DIL 4.1.4.
timstoop Jun 11, 2018
9e0f858
Fix typo.
timstoop Jun 11, 2018
d329290
Another typo.
timstoop Jun 11, 2018
7e6d2a2
Use correct files.
timstoop Jun 11, 2018
d769aec
CIS DIL Benchmark 4.1.5
timstoop Jun 11, 2018
99a8ed5
Write to the correct path.
timstoop Jun 11, 2018
8176485
Ensure the file exists.
timstoop Jun 11, 2018
c45abf5
Add CIS DIL Benchmark 4.1.6.
timstoop Jun 11, 2018
7d59769
Use a resource...
timstoop Jun 11, 2018
e8fca59
Add CIS DIL 4.1.7, optionally.
timstoop Jun 11, 2018
7afa0a8
CIS DIL Benchmark 4.1.8 added.
timstoop Jun 11, 2018
3ceb6cc
CIS DIL Benchmark 4.1.9 added.
timstoop Jun 11, 2018
695c082
Make auditd optional.
timstoop Jun 12, 2018
cdddd7f
CIS DIL Benchmark 4.1.10.
timstoop Jun 12, 2018
a6780c8
Use correct non-system-users range.
timstoop Jun 12, 2018
51081fc
Add CIS DIL Benchmark 4.1.11.
timstoop Jun 12, 2018
cdb8b26
CIS DIL Benchmark 4.1.12.
timstoop Jun 12, 2018
b65d6db
Bring rule more in line with spec.
timstoop Jun 12, 2018
3c84b59
CIS DIL Benchmark 4.1.13.
timstoop Jun 12, 2018
a6fac3f
CIS DIL Benchmark 4.1.14.
timstoop Jun 12, 2018
358e72c
CIS DIL Benchmark 4.1.15.
timstoop Jun 12, 2018
b714113
CIS DIL Benchmark 4.1.16.
timstoop Jun 12, 2018
c6c89c3
CIS DIL Benchmark 4.1.17.
timstoop Jun 12, 2018
91787f8
CIS DIL Benchmark 4.1.18.
timstoop Jun 12, 2018
aec8266
CIS DIL Benchmark 4.1.18, notify auditd.
timstoop Jun 12, 2018
6070f3f
Make sure package is installed before we do anything with it.
timstoop Jun 22, 2018
7e98d29
Merge branch 'upstream' into cis-dil-benchmark-auditd
timstoop Jun 26, 2018
298c7fe
Add documentation.
timstoop Jun 26, 2018
b1bcdc4
Merge branch 'upstream' into cis-dil-benchmark-auditd
timstoop Aug 15, 2018
9f2147f
Merge branch 'upstream' into cis-dil-benchmark-auditd
timstoop Aug 19, 2018
3bd78cd
Make our module revertable, as requested.
timstoop Aug 19, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,18 @@ Otherwise puppet will drop an error (duplicate resource)!
`true` if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Puppet run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
* `dry_run_on_unknown = false`
like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
* `enable_auditd = false`
when auditd should be managed by this module, set this to true, **after deploying this, a reboot is required to affectuate it!**
* `auditd_max_log_file = 8`
when auditd handling by the module is enabled, this will make sure that at most 8MB of log files are on disk, when the action `rotate` is chosen for `auditd_max_log_files_action`
* `auditd_max_log_file_action = 'rotate'`
this option controls how auditd should handle old log files, valid options are `rotate`, `ignore`, `syslog`, `suspend` and `keep_logs`, if full CIS DIL Benchmark compliance is required, this needs to be set to `keep_logs` and another system of rotation needs to be set up (after the logs have been sent to a remote server)
* `apparmor_in_use = false`
this needs to be set to true if apparmor is in use, to make sure the profiles are monitored for changes
* `selinux_in_use = false`
this needs to be set to true if selinux is in use, to make sure the profiles are monitored for changes
* `privileged_binaries = []`
add all your privileged binaries to this array to monitor usage of them, get a list with `find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f` and replace <partition> with a partitions that can be used to execute binaries
* `unwanted_packages = []`
packages that should be removed from the system
* `wanted_packages = []`
Expand Down
Loading