tripleo-heat-templates/environments/auditd.yaml

resource_registry:
  OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-puppet.yaml

parameter_defaults:
  AuditdRules:
    'Record attempts to alter time through adjtimex':
      content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
      order  : 1
    'Record attempts to alter time through settimeofday':
      content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
      order  : 2
    'Record Attempts to Alter Time Through stime':
      content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
      order  : 3
    'Record Attempts to Alter Time Through clock_settime':
      content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
      order  : 4
    'Record Attempts to Alter the localtime File':
      content: '-w /etc/localtime -p wa -k audit_time_rules'
      order  : 5
    'Record Events that Modify the Systems Discretionary Access Controls - chmod':
      content: '-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 5
    'Record Events that Modify the Systems Discretionary Access Controls - chown':
      content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 6
    'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
      content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 7
    'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
      content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 8
    'Record Events that Modify the Systems Discretionary Access Controls - fchown':
      content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 9
    'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
      content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 10
    'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
      content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 11
    'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
      content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 12
    'Record Events that Modify the Systems Discretionary Access Controls - lchown':
      content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 13
    'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
      content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 14
    'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
      content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 15
    'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
      content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 16
    'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
      content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
      order  : 17
    'Record Events that Modify User/Group Information - /etc/group':
      content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
      order  : 18
    'Record Events that Modify User/Group Information - /etc/passwd':
      content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
      order  : 19
    'Record Events that Modify User/Group Information - /etc/gshadow':
      content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
      order  : 20
    'Record Events that Modify User/Group Information - /etc/shadow':
      content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
      order  : 21
    'Record Events that Modify User/Group Information - /etc/opasswd':
      content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
      order  : 22
    'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
      content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
      order  : 23
    'Record Events that Modify the Systems Network Environment - /etc/issue':
      content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
      order  : 24
    'Record Events that Modify the Systems Network Environment - /etc/issue.net':
      content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
      order  : 25
    'Record Events that Modify the Systems Network Environment - /etc/hosts':
      content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
      order  : 26
    'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
      content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
      order  : 27
    'Record Events that Modify the Systems Mandatory Access Controls':
      content: '-w /etc/selinux/ -p wa -k MAC-policy'
      order  : 28
    'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
      content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
      order  : 29
    'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
      content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
      order  : 30
    'Ensure auditd Collects Information on the Use of Privileged Commands':
      content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
      order  : 31
    'Ensure auditd Collects Information on Exporting to Media (successful)':
      content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
      order  : 32
    'Ensure auditd Collects File Deletion Events by User':
      content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
      order  : 33
    'Ensure auditd Collects System Administrator Actions':
      content: '-w /etc/sudoers -p wa -k actions'
      order  : 34
    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
      content: '-w /usr/sbin/insmod -p x -k modules'
      order  : 35
    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
      content: '-w /usr/sbin/rmmod -p x -k modules'
      order  : 36
    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
      content: '-w /usr/sbin/modprobe -p x -k modules'
      order  : 37