diff --git a/defaults/main.yml b/defaults/main.yml index 02aaaa77..52d56ed2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,17 +59,17 @@ security_audit_clock_settime: yes # V-38527 security_audit_clock_settimeofday: yes # V-38522 security_audit_clock_stime: yes # V-38525 security_audit_DAC_chmod: no # V-38543 -security_audit_DAC_chown: yes # V-38545 -security_audit_DAC_lchown: yes # V-38558 +security_audit_DAC_chown: no # V-38545 +security_audit_DAC_lchown: no # V-38558 security_audit_DAC_fchmod: no # V-38547 security_audit_DAC_fchmodat: no # V-38550 -security_audit_DAC_fchown: yes # V-38552 -security_audit_DAC_fchownat: yes # V-38554 -security_audit_DAC_fremovexattr: yes # V-38556 -security_audit_DAC_lremovexattr: yes # V-38559 -security_audit_DAC_fsetxattr: yes # V-38557 -security_audit_DAC_lsetxattr: yes # V-38561 -security_audit_DAC_setxattr: yes # V-38565 +security_audit_DAC_fchown: no # V-38552 +security_audit_DAC_fchownat: no # V-38554 +security_audit_DAC_fremovexattr: no # V-38556 +security_audit_DAC_lremovexattr: no # V-38559 +security_audit_DAC_fsetxattr: no # V-38557 +security_audit_DAC_lsetxattr: no # V-38561 +security_audit_DAC_setxattr: no # V-38565 security_audit_deletions: no # V-38575 security_audit_failed_access: no # V-38566 security_audit_filesystem_mounts: yes # V-38568 diff --git a/doc/source/developer-notes/V-38545.rst b/doc/source/developer-notes/V-38545.rst index ec742e13..e5ae1a96 100644 --- a/doc/source/developer-notes/V-38545.rst +++ b/doc/source/developer-notes/V-38545.rst @@ -1,2 +1,12 @@ -Rules are added for auditd to log discretionary access control permission -changes done with chown. +**Exception** + +The audit rules for permission changes made with ``chown`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``chown`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_chown: yes diff --git a/doc/source/developer-notes/V-38552.rst b/doc/source/developer-notes/V-38552.rst index 363ed3ab..7d722fb6 100644 --- a/doc/source/developer-notes/V-38552.rst +++ b/doc/source/developer-notes/V-38552.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes -made by fchown. +**Exception** + +The audit rules for permission changes made with ``fchown`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``fchown`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_fchown: yes diff --git a/doc/source/developer-notes/V-38554.rst b/doc/source/developer-notes/V-38554.rst index 14c0ac2b..e8a4a6ad 100644 --- a/doc/source/developer-notes/V-38554.rst +++ b/doc/source/developer-notes/V-38554.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes made by -fchownat. +**Exception** + +The audit rules for permission changes made with ``fchownat`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``fchownat`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_fchownat: yes diff --git a/doc/source/developer-notes/V-38556.rst b/doc/source/developer-notes/V-38556.rst index 0f01a145..deae7093 100644 --- a/doc/source/developer-notes/V-38556.rst +++ b/doc/source/developer-notes/V-38556.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes made -by ``fremovexattr``. +**Exception** + +The audit rules for permission changes made with ``fremovexattr`` are disabled +by default as they can generate an excessive amount of logs in a short period +of time, especially during a deployment. + +Deployers can enable auditing for ``fremovexattr`` usage by setting the +following Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_fremovexattr: yes diff --git a/doc/source/developer-notes/V-38557.rst b/doc/source/developer-notes/V-38557.rst index 723f4466..a264edfa 100644 --- a/doc/source/developer-notes/V-38557.rst +++ b/doc/source/developer-notes/V-38557.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes made via -``fsetxattr``. +**Exception** + +The audit rules for permission changes made with ``fsetxattr`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``fsetxattr`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_fsetxattr: yes diff --git a/doc/source/developer-notes/V-38558.rst b/doc/source/developer-notes/V-38558.rst index e58996c9..1143b17b 100644 --- a/doc/source/developer-notes/V-38558.rst +++ b/doc/source/developer-notes/V-38558.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes made via -``lchown``. +**Exception** + +The audit rules for permission changes made with ``lchown`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``lchown`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_lchown: yes diff --git a/doc/source/developer-notes/V-38559.rst b/doc/source/developer-notes/V-38559.rst index 540899ed..70e98861 100644 --- a/doc/source/developer-notes/V-38559.rst +++ b/doc/source/developer-notes/V-38559.rst @@ -1,2 +1,12 @@ -Rules are added for auditing discretionary access control changes made via -``lremovexattr``. +**Exception** + +The audit rules for permission changes made with ``lremovexattr`` are disabled +by default as they can generate an excessive amount of logs in a short period +of time, especially during a deployment. + +Deployers can enable auditing for ``lremovexattr`` usage by setting the +following Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_lremovexattr: yes diff --git a/doc/source/developer-notes/V-38561.rst b/doc/source/developer-notes/V-38561.rst index 62d92c26..0b995aa6 100644 --- a/doc/source/developer-notes/V-38561.rst +++ b/doc/source/developer-notes/V-38561.rst @@ -1,3 +1,12 @@ -Rules are added to auditd to log all DAC modifications using `lsetxattr`_. +**Exception** -.. _lsetxattr: http://linux.die.net/man/2/lsetxattr +The audit rules for permission changes made with ``lxsetxattr`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``lsetxattr`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_lsetxattr: yes diff --git a/doc/source/developer-notes/V-38565.rst b/doc/source/developer-notes/V-38565.rst index 6e6694f5..f67ccfaf 100644 --- a/doc/source/developer-notes/V-38565.rst +++ b/doc/source/developer-notes/V-38565.rst @@ -1,4 +1,12 @@ -Rules are added so that all permission modifications made via `setxattr`_ are -logged. +**Exception** -.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html +The audit rules for permission changes made with ``setxattr`` are disabled by +default as they can generate an excessive amount of logs in a short period of +time, especially during a deployment. + +Deployers can enable auditing for ``lsetxattr`` usage by setting the following +Ansible variable: + +.. code-block:: yaml + + security_audit_DAC_lsetxattr: yes diff --git a/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml b/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml new file mode 100644 index 00000000..eac68638 --- /dev/null +++ b/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml @@ -0,0 +1,25 @@ +--- +upgrade: + - | + All of the discretionary access control (DAC) auditing is now disabled by + default. This reduces the amount of logs generated during deployments and + minor upgrades. The following variables are now set to ``no``: + + .. code-block:: yaml + + security_audit_DAC_chmod: no + security_audit_DAC_chown: no + security_audit_DAC_lchown: no + security_audit_DAC_fchmod: no + security_audit_DAC_fchmodat: no + security_audit_DAC_fchown: no + security_audit_DAC_fchownat: no + security_audit_DAC_fremovexattr: no + security_audit_DAC_lremovexattr: no + security_audit_DAC_fsetxattr: no + security_audit_DAC_lsetxattr: no + security_audit_DAC_setxattr: no +fixes: + - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly + labeled in the auditd logs with the key of ``export-V-38568``. They are + now correctly logged with the key ``filesystem_mount-V-38568``. diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2 index 2559fe9e..9d3cd9cd 100644 --- a/templates/osas-auditd.j2 +++ b/templates/osas-auditd.j2 @@ -177,10 +177,10 @@ {% if security_audit_filesystem_mounts | bool %} # RHEL 6 STIG V-38568 # Audits filesystem mounts --a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568 --a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568 --a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568 --a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568 +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568 +-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568 +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568 +-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568 {% endif %} {% if security_audit_deletions | bool %}