resource_registry: # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml parameter_defaults: AuditdRules: 'Record attempts to alter time through adjtimex': content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' order : 1 'Record attempts to alter time through settimeofday': content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' order : 2 'Record Attempts to Alter Time Through stime': content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' order : 3 'Record Attempts to Alter Time Through clock_settime': content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' order : 4 'Record Attempts to Alter the localtime File': content: '-w /etc/localtime -p wa -k audit_time_rules' order : 5 'Record Events that Modify the Systems Discretionary Access Controls - chmod': content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 5 'Record Events that Modify the Systems Discretionary Access Controls - chown': content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 6 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 7 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 8 'Record Events that Modify the Systems Discretionary Access Controls - fchown': content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 9 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 10 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 11 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 12 'Record Events that Modify the Systems Discretionary Access Controls - lchown': content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 13 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 14 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 15 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 16 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' order : 17 'Record Events that Modify User/Group Information - /etc/group': content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' order : 18 'Record Events that Modify User/Group Information - /etc/passwd': content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' order : 19 'Record Events that Modify User/Group Information - /etc/gshadow': content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' order : 20 'Record Events that Modify User/Group Information - /etc/shadow': content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' order : 21 'Record Events that Modify User/Group Information - /etc/opasswd': content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' order : 22 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' order : 23 'Record Events that Modify the Systems Network Environment - /etc/issue': content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' order : 24 'Record Events that Modify the Systems Network Environment - /etc/issue.net': content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' order : 25 'Record Events that Modify the Systems Network Environment - /etc/hosts': content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' order : 26 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' order : 27 'Record Events that Modify the Systems Mandatory Access Controls': content: '-w /etc/selinux/ -p wa -k MAC-policy' order : 28 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' order : 29 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' order : 30 'Ensure auditd Collects Information on the Use of Privileged Commands': content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' order : 31 'Ensure auditd Collects Information on Exporting to Media (successful)': content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' order : 32 'Ensure auditd Collects File Deletion Events by User': content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' order : 33 'Ensure auditd Collects System Administrator Actions': content: '-w /etc/sudoers -p wa -k actions' order : 34 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': content: '-w /usr/sbin/insmod -p x -k modules' order : 35 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': content: '-w /usr/sbin/rmmod -p x -k modules' order : 36 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': content: '-w /usr/sbin/modprobe -p x -k modules' order : 37