Merge "[Docs] Audit rules"

2016-11-13 22:20:52 +00:00
parent 92fac736bb 1335d0b0df
commit 18ee49c864
31 changed files with 332 additions and 93 deletions
--- a/doc/metadata/rhel7/RHEL-07-030492.rst
+++ b/doc/metadata/rhel7/RHEL-07-030492.rst
@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-030492
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time an account is accessed.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_account_access: no
--- a/doc/metadata/rhel7/RHEL-07-030510.rst
+++ b/doc/metadata/rhel7/RHEL-07-030510.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030510
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``passwd`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_passwd_command: no
--- a/doc/metadata/rhel7/RHEL-07-030511.rst
+++ b/doc/metadata/rhel7/RHEL-07-030511.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030511
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``unix_chkpwd`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_unix_chkpwd: no
--- a/doc/metadata/rhel7/RHEL-07-030512.rst
+++ b/doc/metadata/rhel7/RHEL-07-030512.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030512
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``gpasswd`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_gpasswd: no
--- a/doc/metadata/rhel7/RHEL-07-030513.rst
+++ b/doc/metadata/rhel7/RHEL-07-030513.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030513
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``chage`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_chage: no
--- a/doc/metadata/rhel7/RHEL-07-030514.rst
+++ b/doc/metadata/rhel7/RHEL-07-030514.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030514
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``userhelper`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_userhelper: no
--- a/doc/metadata/rhel7/RHEL-07-030521.rst
+++ b/doc/metadata/rhel7/RHEL-07-030521.rst
@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-030521
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``su`` command is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_su: no
--- a/doc/metadata/rhel7/RHEL-07-030522.rst
+++ b/doc/metadata/rhel7/RHEL-07-030522.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030522
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``sudo`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_sudo: no
--- a/doc/metadata/rhel7/RHEL-07-030523.rst
+++ b/doc/metadata/rhel7/RHEL-07-030523.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030523
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time a user manages the
+configuration files for ``sudo``.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_sudo_config_changes: no
--- a/doc/metadata/rhel7/RHEL-07-030524.rst
+++ b/doc/metadata/rhel7/RHEL-07-030524.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030524
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``newgrp`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_newgrp: no
--- a/doc/metadata/rhel7/RHEL-07-030525.rst
+++ b/doc/metadata/rhel7/RHEL-07-030525.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030525
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``chsh`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_chsh: no
--- a/doc/metadata/rhel7/RHEL-07-030526.rst
+++ b/doc/metadata/rhel7/RHEL-07-030526.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030526
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``sudoedit`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_sudoedit: no
--- a/doc/metadata/rhel7/RHEL-07-030530.rst
+++ b/doc/metadata/rhel7/RHEL-07-030530.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030530
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``mount`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_mount: no
--- a/doc/metadata/rhel7/RHEL-07-030531.rst
+++ b/doc/metadata/rhel7/RHEL-07-030531.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030531
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``umount`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_umount: no
--- a/doc/metadata/rhel7/RHEL-07-030540.rst
+++ b/doc/metadata/rhel7/RHEL-07-030540.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030540
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``postdrop`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_postdrop: no
--- a/doc/metadata/rhel7/RHEL-07-030541.rst
+++ b/doc/metadata/rhel7/RHEL-07-030541.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030541
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``postqueue`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_postqueue: no
--- a/doc/metadata/rhel7/RHEL-07-030550.rst
+++ b/doc/metadata/rhel7/RHEL-07-030550.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030550
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``ssh-keysign`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_ssh_keysign: no
--- a/doc/metadata/rhel7/RHEL-07-030560.rst
+++ b/doc/metadata/rhel7/RHEL-07-030560.rst
@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-030560
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``pt_chown`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_pt_chown: no
+
+.. note::
+
+    No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available.
--- a/doc/metadata/rhel7/RHEL-07-030561.rst
+++ b/doc/metadata/rhel7/RHEL-07-030561.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030561
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``crontab`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_crontab: no
--- a/doc/metadata/rhel7/RHEL-07-030630.rst
+++ b/doc/metadata/rhel7/RHEL-07-030630.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030630
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``pam_timestamp_check``
+command is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_pam_timestamp_check: no
--- a/doc/metadata/rhel7/RHEL-07-030670.rst
+++ b/doc/metadata/rhel7/RHEL-07-030670.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030670
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``init_module`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_init_module: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030671.rst
+++ b/doc/metadata/rhel7/RHEL-07-030671.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030671
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``delete_module``
+command is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_delete_module: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030672.rst
+++ b/doc/metadata/rhel7/RHEL-07-030672.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030672
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``insmod`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_insmod: no
--- a/doc/metadata/rhel7/RHEL-07-030673.rst
+++ b/doc/metadata/rhel7/RHEL-07-030673.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030673
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``rmmod`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_rmmod: no
--- a/doc/metadata/rhel7/RHEL-07-030674.rst
+++ b/doc/metadata/rhel7/RHEL-07-030674.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030674
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``modprobe`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_modprobe: no
--- a/doc/metadata/rhel7/RHEL-07-030710.rst
+++ b/doc/metadata/rhel7/RHEL-07-030710.rst
@@ -1,7 +1,20 @@
 ---
 id: RHEL-07-030710
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time that an account is modified.
+This includes changes to the following files:
+
+* ``/etc/group``
+* ``/etc/passwd``
+* ``/etc/gshadow``
+* ``/etc/shadow``
+* ``/etc/security/opasswd``
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_account_actions: no
--- a/doc/metadata/rhel7/RHEL-07-030750.rst
+++ b/doc/metadata/rhel7/RHEL-07-030750.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030750
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``rename`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_rename: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030751.rst
+++ b/doc/metadata/rhel7/RHEL-07-030751.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030751
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``renameat`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_renameat: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030752.rst
+++ b/doc/metadata/rhel7/RHEL-07-030752.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030752
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``rmdir`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_rmdir: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030753.rst
+++ b/doc/metadata/rhel7/RHEL-07-030753.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030753
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``unlink`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_unlink: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.
--- a/doc/metadata/rhel7/RHEL-07-030754.rst
+++ b/doc/metadata/rhel7/RHEL-07-030754.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030754
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``unlinkat`` command is
+used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_unlinkat: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.