Configure auditd rules for security compliance
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Luke Hinds |
Bug Description
Currently no audit rules are set within the auditd system.
This results in events that modify the follow system attributes as not logged by auditd
* Events that Modify Date and Time Information
* Events that Modify the System's Discretionary Access Controls
* Record Events that Modify User/Group Information
* Record Events that Modify the System's Network Environment
* Record Events that Modify the System's Mandatory Access Controls (SELinux)
* Collection of Unauthorized Access Attempts to Files (unsuccessful)
* Collection of Information on the Use of Privileged Commands
* Collection of Information on Exporting to Media (successful)
* Collection of File Deletion Events by User
* Collection of System Administrator Actions
* Collection of Information on Kernel Module Loading and Unloading
A`/usr/
For example:
~]# cp /etc/audit/
~]# cp /usr/share/
This will then insure each of the above audit areas will be implemented and result in a system being DISA STIG compliant.
In the /usr/share/
* nispom.rules — Audit rule configuration that meets the requirements specified in Chapter 8 of the National Industrial Security Program Operating Manual.
* capp.rules — Audit rule configuration that meets the requirements set by Controlled Access Protection Profile (CAPP), which is a part of the Common Criteria certification.
* lspp.rules — Audit rule configuration that meets the requirements set by Labeled Security Protection Profile (LSPP), which is a part of the Common Criteria certification.
* stig.rules — Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG).
If possible, name could be sourced / passed with a flag or key / value such as `stig` which will copy and overwrite the relevant rules file to /etc/audit/
Changed in tripleo: | |
status: | New → Triaged |
Changed in tripleo: | |
importance: | High → Medium |
Changed in tripleo: | |
assignee: | nobody → Luke Hinds (lhinds) |
status: | Triaged → In Progress |
Reviewed: https:/ /review. openstack. org/421872 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=eb14c2a9f7a cd6a7949e7aee91 687756731f93db
Committed: https:/
Submitter: Jenkins
Branch: master
commit eb14c2a9f7acd6a 7949e7aee916877 56731f93db
Author: Steven Hardy <email address hidden>
Date: Wed Jan 18 12:25:25 2017 +0000
Add AuditD Profile
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Closes-Bug: #1640302 e35e1bfa28d1fc0 7f3f897407b
Co-Authored-By: Luke Hinds (<email address hidden>)
Change-Id: Ie31c063b674075