Merge pull request #578 from konstruktoid/auditde

add auditd_enable_flag variable
konstruktoid · Mar 15, 2024 · 8e63e18 · 8e63e18
2 parents 35dc601 + e4a45fd
commit 8e63e18
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -151,6 +151,7 @@ auditd_action_mail_acct: root
 auditd_admin_space_left_action: suspend
 auditd_disk_error_action: suspend
 auditd_disk_full_action: suspend
+auditd_enable_flag: 2
 auditd_flush: incremental_async
 auditd_max_log_file: 20
 auditd_max_log_file_action: rotate
@@ -174,6 +175,9 @@ from the included template file.
 detected that it is low on disk space. `suspend` will cause the audit daemon to
 stop writing records to the disk.
 
+`auditd_enable_flag` sets the enabled flag. If `0` is passed, temporarily disable auditing.
+`1` will enable auditing and `2` will lock the audit configuration.
+
 `auditd_flush: sync` tells the audit daemon to keep both the data and meta-data
 fully sync'd with every write to disk.
 

diff --git a/defaults/main/auditd.yml b/defaults/main/auditd.yml
@@ -6,6 +6,7 @@ auditd_action_mail_acct: root
 auditd_admin_space_left_action: suspend
 auditd_disk_error_action: suspend
 auditd_disk_full_action: suspend
+auditd_enable_flag: 2
 auditd_flush: incremental_async
 auditd_max_log_file: 20
 auditd_max_log_file_action: rotate

diff --git a/templates/etc/audit/rules.d/hardening.rules.j2 b/templates/etc/audit/rules.d/hardening.rules.j2
@@ -341,5 +341,5 @@
 -w /usr/sbin/useradd -p x -F key=user-modification
 -w /usr/sbin/usermod -p x -F key=user-modification
 
-# Put in immutable mode
--e 2
+# Set the auditd flag
+-e {{ auditd_enable_flag }}