Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Install and configure user mode auditd tools

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 attributes
Octocat-spinner-32 providers
Octocat-spinner-32 recipes
Octocat-spinner-32 resources
Octocat-spinner-32 templates
Octocat-spinner-32 .gitignore
Octocat-spinner-32 .kitchen.yml
Octocat-spinner-32 CHANGELOG.md
Octocat-spinner-32 Cheffile
Octocat-spinner-32 Gemfile
Octocat-spinner-32 README.md
Octocat-spinner-32 Thorfile
Octocat-spinner-32 metadata.rb
README.md

Description

A simple cookbook to install auditd and provided rulesets. Rulesets included in the OS auditd/audit package as examples are based on 4 established standards:

The OS package provides the client side tools for working with the linux kernel audit framework.

Requirements

Linux : any distribution in theory, but only Ubuntu and RHEL 6 have been tested.

Attributes

  • node['auditd']['ruleset'] - ruleset to use, either "default" (the default if unset) or one of the provided examples
    • NOTE: When using this recipe on RHEL systems, you're restricted to the "default" or "cis" rulesets, as RHEL uses version-specific paths for the .rules which we can't programatically determine at this time.
  • node['auditd']['backlog'] - backlog size, default is 320 should be larger for busy systems

Usage

If you're using one of the default rulesets set the correct attribute based on the ruleset desired, one of:

  • "capp" : Controlled Access Protection Profile
  • "lspp" : Labeled Security Protection Profile
  • "nispom" : National Industrial Security Program Operating Manual (NISPOM)
  • "stig" : Security Technical Implementation Guides
  • "cis" : Center for Internet Security auditd recommendations

And include recipe[auditd::rules] in your run list. You can also set the attribute node['auditd']['ruleset'] to the name of a custom rule template to be used instead of one of the default rules.

If you are using the recipe from a wrapper cookbook, include the default recipe recipe[auditd] to setup the service and use the auditd_ruleset resource to place your custom rule template.

TODO

Ideally the auditd_ruleset resource could make use of a data bag search to build the data driven ruleset

Make builtins an array attribute to allow user updates without cookbook release.

Something went wrong with that request. Please try again.