Merge pull request #310 from tdekoning93/feature/allow_more_changes_a…

…uditd Allow more changes to AuditD
dev-sec · Dec 21, 2023 · b78f440 · b78f440
2 parents ca98c04 + 21a4e0a
commit b78f440
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 24 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -253,6 +253,16 @@
 # rubocop:enable Metrics/BlockLength
 
 # auditd config
+default['os-hardening']['auditd']['log_file'] = '/var/log/audit/audit.log'
+default['os-hardening']['auditd']['log_format'] = 'RAW'
+default['os-hardening']['auditd']['max_log_file_action'] = 'keep_logs'
+default['os-hardening']['auditd']['space_left'] = 75
+default['os-hardening']['auditd']['action_mail_acct'] = 'root'
+default['os-hardening']['auditd']['space_left_action'] = 'SYSLOG'
+default['os-hardening']['auditd']['admin_space_left'] = 50
+default['os-hardening']['auditd']['admin_space_left_action'] = 'SUSPEND'
+default['os-hardening']['auditd']['disk_full_action'] = 'SUSPEND'
+default['os-hardening']['auditd']['disk_error_action'] = 'SUSPEND'
 default['os-hardening']['auditd']['flush'] = 'INCREMENTAL'
 default['os-hardening']['auditd']['log_group'] = 'root'
 default['os-hardening']['auditd']['priority_boost'] = '4'

diff --git a/recipes/auditd.rb b/recipes/auditd.rb
@@ -43,20 +43,30 @@
   owner 'root'
   group 'root'
   variables(
-    flush:               node['os-hardening']['auditd']['flush'],
-    log_group:           node['os-hardening']['auditd']['log_group'],
-    priority_boost:      node['os-hardening']['auditd']['priority_boost'],
-    freq:                node['os-hardening']['auditd']['freq'],
-    num_logs:            node['os-hardening']['auditd']['num_logs'],
-    disp_qos:            node['os-hardening']['auditd']['disp_qos'],
-    dispatcher:          node['os-hardening']['auditd']['dispatcher'],
-    name_format:         node['os-hardening']['auditd']['name_format'],
-    max_log_file:        node['os-hardening']['auditd']['max_log_file'],
-    tcp_listen_queue:    node['os-hardening']['auditd']['tcp_listen_queue'],
-    tcp_max_per_addr:    node['os-hardening']['auditd']['tcp_max_per_addr'],
-    tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'],
-    enable_krb5:         node['os-hardening']['auditd']['enable_krb5'],
-    krb5_principal:      node['os-hardening']['auditd']['krb5_principal']
+    log_file:                node['os-hardening']['auditd']['log_file'],
+    log_format:              node['os-hardening']['auditd']['log_format'],
+    max_log_file_action:     node['os-hardening']['auditd']['max_log_file_action'],
+    space_left:              node['os-hardening']['auditd']['space_left'],
+    action_mail_acct:        node['os-hardening']['auditd']['action_mail_acct'],
+    space_left_action:       node['os-hardening']['auditd']['space_left_action'],
+    admin_space_left:        node['os-hardening']['auditd']['admin_space_left'],
+    admin_space_left_action: node['os-hardening']['auditd']['admin_space_left_action'],
+    disk_full_action:        node['os-hardening']['auditd']['disk_full_action'],
+    disk_error_action:       node['os-hardening']['auditd']['disk_error_action'],
+    flush:                   node['os-hardening']['auditd']['flush'],
+    log_group:               node['os-hardening']['auditd']['log_group'],
+    priority_boost:          node['os-hardening']['auditd']['priority_boost'],
+    freq:                    node['os-hardening']['auditd']['freq'],
+    num_logs:                node['os-hardening']['auditd']['num_logs'],
+    disp_qos:                node['os-hardening']['auditd']['disp_qos'],
+    dispatcher:              node['os-hardening']['auditd']['dispatcher'],
+    name_format:             node['os-hardening']['auditd']['name_format'],
+    max_log_file:            node['os-hardening']['auditd']['max_log_file'],
+    tcp_listen_queue:        node['os-hardening']['auditd']['tcp_listen_queue'],
+    tcp_max_per_addr:        node['os-hardening']['auditd']['tcp_max_per_addr'],
+    tcp_client_max_idle:     node['os-hardening']['auditd']['tcp_client_max_idle'],
+    enable_krb5:             node['os-hardening']['auditd']['enable_krb5'],
+    krb5_principal:          node['os-hardening']['auditd']['krb5_principal']
   )
   notifies :restart, 'service[auditd]'
   action :create

diff --git a/templates/default/auditd.conf.erb b/templates/default/auditd.conf.erb
@@ -5,17 +5,17 @@
 #--
 
 # Specified by linux-baseline
-log_file = /var/log/audit/audit.log
-log_format = RAW
+log_file = <%= @log_file %>
+log_format = <%= @log_format %>
 flush = <%= @flush %>
-max_log_file_action = keep_logs
-space_left = 75
-action_mail_acct = root
-space_left_action = SYSLOG
-admin_space_left = 50
-admin_space_left_action = SUSPEND
-disk_full_action = SUSPEND
-disk_error_action = SUSPEND
+max_log_file_action = <%= @max_log_file_action %>
+space_left = <%= @space_left %>
+action_mail_acct = <%= @action_mail_acct %>
+space_left_action = <%= @space_left_action %>
+admin_space_left = <%= @admin_space_left %>
+admin_space_left_action = <%= @admin_space_left_action %>
+disk_full_action = <%= @disk_full_action %>
+disk_error_action = <%= @disk_error_action %>
 
 # Unspecified, auditd defaults unless overwritten
 log_group = <%= @log_group %>