auditd

Overview

This module installs, configures and manages the Linux Audit daemon (auditd) and optionally the dispatcher (audisp) for older auditd versions.

No default rules are provided. See the Reference file for all options.

• Usage
• Configuration
• Rules
• Plugins
• Dispatcher
• Limitations

Usage

Including auditd and using the defaults will;

• Install the audit daemon package
• Configure and manage /etc/audit/auditd.conf with most default settings
• Replace all suspend/halt settings with rotate/syslog to prevent unexpected availability issues
• Manage /etc/audit/rules.d/audit.rules
• Enable and manage the auditd service

include auditd

Configuration

The auditd::config parameter is used to configure the auditd.conf file:

• By default actions use rotate/syslog instead of suspend/halt
• Key names are based on documented settings in man auditd.conf

Rules

The auditd::rule define is used to create and manage auditd rules.

auditd::rule { 'insmod':
  content => '-w /sbin/insmod -p x -k modules',
  order   => 10,
}

auditd::rule { '-w /var/run/utmp -p wa -k session': }

A hash can also be passed to the main auditd class with the rules parameter:

class { 'auditd':
  rules => {
    insmod => {
      content => '-w /sbin/insmod -p x -k modules',
      order   => 10,
    },
    sudoers_changes => {
      content => '-w /etc/sudoers -p wa -k scope',
      order   => 50,
    },
  },
}

With Hiera:

auditd::rules:
  insmod:
    content: -w /sbin/insmod -p x -k modules
    order: 10
  sudoers_changes:
    content: -w /etc/sudoers -p wa -k scope
    order: 50

Plugins

The auditd::plugin define is used to create and manage auditd plugin files.

auditd::plugin { 'clickhouse':
  active    => 'yes',
  direction => 'out',
  path      => '/usr/libexec/auditd-plugin-clickhouse',
  type      => 'always',
  args      => '/etc/audit/auditd-clickhouse.conf',
  format    => 'string',
}

A hash can also be passed to the main auditd with the plugins parameter:

class { 'auditd':
  plugins => {
    auoms => {
      active    => 'no',
      direction => 'out',
      path      => '/opt/microsoft/auoms/bin/auomscollect',
    },
  },
}

With Hiera:

auditd::plugins:
  clickhouse:
    active: 'yes'
    direction: 'out'
    path: /usr/libexec/auditd-plugin-clickhouse
    args: /etc/audit/auditd-clickhouse.conf

Dispatcher

The auditd::audisp class can be used to manage the dispatcher for version 2. Using this class on more recent auditd versions (v3) is not necessary and is equivalent to:

package { 'audispd-plugins':
  ensure => 'installed',
}

In v3 audisp settings can be part of auditd::config. For v2 use auditd::audisp:

class { 'auditd::audisp':
  config => {
    q_depth     => 250,
    name_format => 'hostname',
  },
}

auditd::audisp::config:
  q_depth: 250
  overflow_action: syslog
  priority_boost: 4
  max_restarts: 10
  name_format: hostname
  plugin_dir: /etc/audisp/plugins.d/

audisp plugins

The auditd::plugin define can be used to be manage audisp plugins by setting plugin_type to audisp:

auditd::plugin { 'syslog':
  active      => 'yes',
  direction   => 'out',
  path        => '/sbin/audisp-syslog',
  type        => 'always',
  args        => 'LOG_INFO',
  format      => 'string',
  plugin_type => 'audisp',
}

Limitations

The RefuseManualStop systemd unit option has been set to no to allow for easier upgrades and management. See auditd.service and RefuseManualStop for a discussion on this subject.

Configuration files distributed via audispd-plugins are not currently managed.

This package has been tested primarily on Debian family distributions.