Parametrize more auditd.conf options (#535)

kravietz · Paweł Krawczyk · rndmh3ro · web-flow · commit 88ef3cf3af8d · 2023-01-19T13:45:24.000+01:00
* Parametrize more auditd.conf options

* Parametrize more auditd.conf options

* Add `os_auditd` options

* Add os_auditd_log_group

* Add os_auditd_log_group

Co-authored-by: Paweł Krawczyk &lt;p@krvtz.net&gt;
Co-authored-by: Sebastian Gumprich &lt;rndmh3ro@users.noreply.github.com&gt;
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -299,6 +299,30 @@ We know that this is the case on Raspberry Pi.
 - `os_sha_crypt_max_rounds`
   - Default: `640000`
   - Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
+- `os_auditd_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring `auditd`.
+- `os_auditd_flush`
+  - Default: `INCREMENTAL`
+  - Description:  Valid  values are none, incremental, incremental_async, data,  and sync.
+- `os_auditd_max_log_file`
+  - Default: 6
+  - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.
+- `os_auditd_max_log_file_action`
+  - Default: `keep_logs`
+  - Description: This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. Valid values are ignore, syslog, suspend, rotate and  keep_logs.
+- `os_auditd_admin_space_left`
+  - Default: 50
+  - Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space.
+- `os_auditd_space_left`
+  - Default: 75
+  - Description:  If  the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action.
+- `os_auditd_space_left_action`
+  - Default: SYSLOG
+  - Description: This  parameter  tells the system what action to take when the system has detected that it is starting to get low on disk space.
+- `os_auditd_log_format`
+  - Default: `RAW`
+  - Description: The  log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created  on  one system but reported/analyzed on another system. 
 - `os_mnt_boot_dir_mode`
   - Default: `0700`
   - Description: Set default perimissions for /boot
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -328,8 +328,17 @@ os_hardening_enabled: true
 
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
+os_auditd_flush: INCREMENTAL
 os_auditd_max_log_file: 6
 os_auditd_max_log_file_action: keep_logs
+os_auditd_log_format: RAW
+os_auditd_admin_space_left: 50
+os_auditd_space_left: 75
+os_auditd_space_left_action: SYSLOG
+os_auditd_admin_space_left_action: SUSPEND
+os_auditd_disk_full_action: SUSPEND
+os_auditd_disk_error_action: SUSPEND
+os_auditd_log_group: root
 os_auditd_num_logs: 5
 
 # Set the SELinux state, which can be either disabled, permissive, or enforcing.
diff --git a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 b/roles/os_hardening/templates/etc/audit/auditd.conf.j2
@@ -2,30 +2,26 @@
 # Generated by Ansible role {{ ansible_role_name }}
 
 log_file = /var/log/audit/audit.log
-log_format = RAW
-log_group = root
+log_format = {{ os_auditd_log_format }}
+log_group = {{ os_auditd_log_group }}
 priority_boost = 4
-flush = INCREMENTAL
+flush = {{ os_auditd_flush }}
 freq = 20
 num_logs = {{ os_auditd_num_logs }}
 disp_qos = lossy
 dispatcher = /sbin/audispd
 name_format = NONE
-##name = mydomain
 max_log_file = {{ os_auditd_max_log_file }}
 max_log_file_action = {{ os_auditd_max_log_file_action }}
-space_left = 75
-space_left_action = SYSLOG
+space_left = {{ os_auditd_space_left }}
+space_left_action = {{ os_auditd_space_left_action }}
 action_mail_acct = root
-admin_space_left = 50
-admin_space_left_action = SUSPEND
-disk_full_action = SUSPEND
-disk_error_action = SUSPEND
-##tcp_listen_port =
+admin_space_left = {{ os_auditd_admin_space_left }}
+admin_space_left_action = {{ os_auditd_admin_space_left_action }}
+disk_full_action = {{ os_auditd_disk_full_action }}
+disk_error_action = {{ os_auditd_disk_error_action }}
 tcp_listen_queue = 5
 tcp_max_per_addr = 1
-##tcp_client_ports = 1024-65535
 tcp_client_max_idle = 0
 enable_krb5 = no
 krb5_principal = auditd
-##krb5_key_file = /etc/audit/audit.key
