Adding auditd rules to hardening machine-image - Githubissues

scylladb / scylla-machine-image

Apache License 2.0

20 stars 27 forks source link

Adding auditd rules to hardening machine-image #521

Closed syuu1228 closed 7 months ago

syuu1228 commented 7 months ago

Install auditd and add auditd rules to hardening machine-image. Also add kernel boot parameters to audit.

This will apply following CIS compliance rules:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
xccdf_org.ssgproject.content_rule_audit_rules_session_events
xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
xccdf_org.ssgproject.content_rule_grub2_audit_argument
xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action

Fixes scylladb/scylla-enterprise-machine-image#71 Related scylladb/scylla-pkg#2953

yaronkaikov commented 7 months ago

@syuu1228 Let's move this change to scylla-enterprise-machine-image, it should be enterprise only feature

syuu1228 commented 7 months ago

Need to move this to scylla-enterprise-machine-image, closing.

tzach commented 7 months ago

https://github.com/scylladb/scylla-enterprise/issues/616