Configure basic parameters of Audit system

An XCCDF Rule

Description

Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

Load new Audit rules into kernel by running:

augenrules --load

warning alert: Performance Warning

It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing

-b larger_buffer_size

into a file within /etc/audit/rules.d directory, replacing larger_file_size with the desired value. The file name should start with a number higher than 10 and lower than 99.

Rationale

Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.

ID: xccdf_org.ssgproject.content_rule_audit_basic_configuration
Severity: Medium
References: AU-2(a)

FAU_GEN.1

SRG-OS-000365-GPOS-00152 SRG-OS-000475-GPOS-00220
Updated: about 1 year ago

- name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy
  copy:
    dest: /etc/audit/rules.d/10-base-config.rules
    content: |+
      ## First rule - delete all
      -D
      ## Increase the buffers to survive stress events.
      ## Make this bigger for busy systems
      -b 8192

      ## This determine how long to wait in burst of events
      --backlog_wait_time 60000

      ## Set failure mode to syslog
      -f 1

    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-2(a)
  - audit_basic_configuration
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove any permissions from other group
  file:
    path: /etc/audit/rules.d/10-base-config.rules
    mode: o-rwx
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-2(a)
  - audit_basic_configuration
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

EOF

chmod o-rwx /etc/audit/rules.d/10-base-config.rules

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure basic parameters of Audit system

Description

Rationale

Remediation - Ansible

Remediation - Shell Script