Merge "Disable DAC change auditing"

defaults/main.yml

@@ -64,17 +64,17 @@ security_audit_clock_settime: yes                 # V-38527
 security_audit_clock_settimeofday: yes            # V-38522
 security_audit_clock_stime: yes                   # V-38525
 security_audit_DAC_chmod: no                      # V-38543
-security_audit_DAC_chown: yes                     # V-38545
-security_audit_DAC_lchown: yes                    # V-38558
+security_audit_DAC_chown: no                      # V-38545
+security_audit_DAC_lchown: no                     # V-38558
 security_audit_DAC_fchmod: no                     # V-38547
 security_audit_DAC_fchmodat: no                   # V-38550
-security_audit_DAC_fchown: yes                    # V-38552
-security_audit_DAC_fchownat: yes                  # V-38554
-security_audit_DAC_fremovexattr: yes              # V-38556
-security_audit_DAC_lremovexattr: yes              # V-38559
-security_audit_DAC_fsetxattr: yes                 # V-38557
-security_audit_DAC_lsetxattr: yes                 # V-38561
-security_audit_DAC_setxattr: yes                  # V-38565
+security_audit_DAC_fchown: no                     # V-38552
+security_audit_DAC_fchownat: no                   # V-38554
+security_audit_DAC_fremovexattr: no               # V-38556
+security_audit_DAC_lremovexattr: no               # V-38559
+security_audit_DAC_fsetxattr: no                  # V-38557
+security_audit_DAC_lsetxattr: no                  # V-38561
+security_audit_DAC_setxattr: no                   # V-38565
 security_audit_deletions: no                      # V-38575
 security_audit_failed_access: no                  # V-38566
 security_audit_filesystem_mounts: yes             # V-38568

doc/source/stig-notes/V-38545_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditd to log discretionary access control permission
-changes done with chown.
+**Exception**
+
+The audit rules for permission changes made with ``chown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``chown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_chown: yes

doc/source/stig-notes/V-38552_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes
-made by fchown.
+**Exception**
+
+The audit rules for permission changes made with ``fchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchown: yes

doc/source/stig-notes/V-38554_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made by
-fchownat.
+**Exception**
+
+The audit rules for permission changes made with ``fchownat`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchownat`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchownat: yes

doc/source/stig-notes/V-38556_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made
-by ``fremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``fremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fremovexattr: yes

doc/source/stig-notes/V-38557_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``fsetxattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fsetxattr: yes

doc/source/stig-notes/V-38558_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lchown``.
+**Exception**
+
+The audit rules for permission changes made with ``lchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lchown: yes

doc/source/stig-notes/V-38559_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``lremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``lremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lremovexattr: yes

doc/source/stig-notes/V-38561_developer.rst

@@ -1,3 +1,12 @@
-Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
+**Exception**
 
-.. _lsetxattr: http://linux.die.net/man/2/lsetxattr
+The audit rules for permission changes made with ``lxsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes

doc/source/stig-notes/V-38565_developer.rst

@@ -1,4 +1,12 @@
-Rules are added so that all permission modifications made via `setxattr`_ are
-logged.
+**Exception**
 
-.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html
+The audit rules for permission changes made with ``setxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes

releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml

@@ -0,0 +1,25 @@
+---
+upgrade:
+  - |
+    All of the discretionary access control (DAC) auditing is now disabled by
+    default. This reduces the amount of logs generated during deployments and
+    minor upgrades.  The following variables are now set to ``no``:
+
+    .. code-block:: yaml
+
+       security_audit_DAC_chmod: no
+       security_audit_DAC_chown: no
+       security_audit_DAC_lchown: no
+       security_audit_DAC_fchmod: no
+       security_audit_DAC_fchmodat: no
+       security_audit_DAC_fchown: no
+       security_audit_DAC_fchownat: no
+       security_audit_DAC_fremovexattr: no
+       security_audit_DAC_lremovexattr: no
+       security_audit_DAC_fsetxattr: no
+       security_audit_DAC_lsetxattr: no
+       security_audit_DAC_setxattr: no
+fixes:
+  - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly
+    labeled in the auditd logs with the key of ``export-V-38568``. They are
+    now correctly logged with the key ``filesystem_mount-V-38568``.

templates/osas-auditd.j2

@@ -193,12 +193,12 @@
 # RHEL 6 STIG V-38558
 # Audits DAC changes via lchown
 {% if ansible_architecture == 'ppc64le' %}
--a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
+-a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558
 {% else %}
 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
--a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
+-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
 {% endif %}
 {% endif %}
@@ -269,13 +269,13 @@
 # RHEL 6 STIG V-38568
 # Audits filesystem mounts
 {% if ansible_architecture == 'ppc64le' %}
--a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=ppc64 -S mount -F auid=0 -k export-V-38568
+-a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=ppc64 -S mount -F auid=0 -k filesystem_mount-V-38568
 {% else %}
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
 {% endif %}
 {% endif %}