From 77eaaf2262f6d97be512821f26609ea4a1392f43 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Sep 2016 07:38:11 -0500
Subject: [PATCH] Disable DAC change auditing

This patch disables all of the discretionary access control (DAC)
auditing in auditd. This should reduce the volume of logs created
during deployments and during OpenStack CI jobs.

The patch also corrects an incorrect key in the audit logs for
V-38568.

Manual backport of I193f739647cfb7d0ce395984b51867bf6bd46cd8.

Change-Id: Ie6266dacc29b9f110b8eced8c6bd184d156e91c5
Closes-Bug: 1620849
---
 defaults/main.yml                             | 18 ++++++-------
 doc/source/developer-notes/V-38545.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38552.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38554.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38556.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38557.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38558.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38559.rst        | 14 +++++++++--
 doc/source/developer-notes/V-38561.rst        | 13 ++++++++--
 doc/source/developer-notes/V-38565.rst        | 14 ++++++++---
 ...educe-auditd-logging-633677a74aee5481.yaml | 25 +++++++++++++++++++
 templates/osas-auditd.j2                      |  8 +++---
 12 files changed, 144 insertions(+), 32 deletions(-)
 create mode 100644 releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 02aaaa77..52d56ed2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -59,17 +59,17 @@ security_audit_clock_settime: yes                 # V-38527
 security_audit_clock_settimeofday: yes            # V-38522
 security_audit_clock_stime: yes                   # V-38525
 security_audit_DAC_chmod: no                      # V-38543
-security_audit_DAC_chown: yes                     # V-38545
-security_audit_DAC_lchown: yes                    # V-38558
+security_audit_DAC_chown: no                      # V-38545
+security_audit_DAC_lchown: no                     # V-38558
 security_audit_DAC_fchmod: no                     # V-38547
 security_audit_DAC_fchmodat: no                   # V-38550
-security_audit_DAC_fchown: yes                    # V-38552
-security_audit_DAC_fchownat: yes                  # V-38554
-security_audit_DAC_fremovexattr: yes              # V-38556
-security_audit_DAC_lremovexattr: yes              # V-38559
-security_audit_DAC_fsetxattr: yes                 # V-38557
-security_audit_DAC_lsetxattr: yes                 # V-38561
-security_audit_DAC_setxattr: yes                  # V-38565
+security_audit_DAC_fchown: no                     # V-38552
+security_audit_DAC_fchownat: no                   # V-38554
+security_audit_DAC_fremovexattr: no               # V-38556
+security_audit_DAC_lremovexattr: no               # V-38559
+security_audit_DAC_fsetxattr: no                  # V-38557
+security_audit_DAC_lsetxattr: no                  # V-38561
+security_audit_DAC_setxattr: no                   # V-38565
 security_audit_deletions: no                      # V-38575
 security_audit_failed_access: no                  # V-38566
 security_audit_filesystem_mounts: yes             # V-38568
diff --git a/doc/source/developer-notes/V-38545.rst b/doc/source/developer-notes/V-38545.rst
index ec742e13..e5ae1a96 100644
--- a/doc/source/developer-notes/V-38545.rst
+++ b/doc/source/developer-notes/V-38545.rst
@@ -1,2 +1,12 @@
-Rules are added for auditd to log discretionary access control permission
-changes done with chown.
+**Exception**
+
+The audit rules for permission changes made with ``chown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``chown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_chown: yes
diff --git a/doc/source/developer-notes/V-38552.rst b/doc/source/developer-notes/V-38552.rst
index 363ed3ab..7d722fb6 100644
--- a/doc/source/developer-notes/V-38552.rst
+++ b/doc/source/developer-notes/V-38552.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes
-made by fchown.
+**Exception**
+
+The audit rules for permission changes made with ``fchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchown: yes
diff --git a/doc/source/developer-notes/V-38554.rst b/doc/source/developer-notes/V-38554.rst
index 14c0ac2b..e8a4a6ad 100644
--- a/doc/source/developer-notes/V-38554.rst
+++ b/doc/source/developer-notes/V-38554.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made by
-fchownat.
+**Exception**
+
+The audit rules for permission changes made with ``fchownat`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchownat`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchownat: yes
diff --git a/doc/source/developer-notes/V-38556.rst b/doc/source/developer-notes/V-38556.rst
index 0f01a145..deae7093 100644
--- a/doc/source/developer-notes/V-38556.rst
+++ b/doc/source/developer-notes/V-38556.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made
-by ``fremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``fremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fremovexattr: yes
diff --git a/doc/source/developer-notes/V-38557.rst b/doc/source/developer-notes/V-38557.rst
index 723f4466..a264edfa 100644
--- a/doc/source/developer-notes/V-38557.rst
+++ b/doc/source/developer-notes/V-38557.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``fsetxattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fsetxattr: yes
diff --git a/doc/source/developer-notes/V-38558.rst b/doc/source/developer-notes/V-38558.rst
index e58996c9..1143b17b 100644
--- a/doc/source/developer-notes/V-38558.rst
+++ b/doc/source/developer-notes/V-38558.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lchown``.
+**Exception**
+
+The audit rules for permission changes made with ``lchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lchown: yes
diff --git a/doc/source/developer-notes/V-38559.rst b/doc/source/developer-notes/V-38559.rst
index 540899ed..70e98861 100644
--- a/doc/source/developer-notes/V-38559.rst
+++ b/doc/source/developer-notes/V-38559.rst
@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``lremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``lremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lremovexattr: yes
diff --git a/doc/source/developer-notes/V-38561.rst b/doc/source/developer-notes/V-38561.rst
index 62d92c26..0b995aa6 100644
--- a/doc/source/developer-notes/V-38561.rst
+++ b/doc/source/developer-notes/V-38561.rst
@@ -1,3 +1,12 @@
-Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
+**Exception**
 
-.. _lsetxattr: http://linux.die.net/man/2/lsetxattr
+The audit rules for permission changes made with ``lxsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes
diff --git a/doc/source/developer-notes/V-38565.rst b/doc/source/developer-notes/V-38565.rst
index 6e6694f5..f67ccfaf 100644
--- a/doc/source/developer-notes/V-38565.rst
+++ b/doc/source/developer-notes/V-38565.rst
@@ -1,4 +1,12 @@
-Rules are added so that all permission modifications made via `setxattr`_ are
-logged.
+**Exception**
 
-.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html
+The audit rules for permission changes made with ``setxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes
diff --git a/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml b/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml
new file mode 100644
index 00000000..eac68638
--- /dev/null
+++ b/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml
@@ -0,0 +1,25 @@
+---
+upgrade:
+  - |
+    All of the discretionary access control (DAC) auditing is now disabled by
+    default. This reduces the amount of logs generated during deployments and
+    minor upgrades.  The following variables are now set to ``no``:
+
+    .. code-block:: yaml
+
+       security_audit_DAC_chmod: no
+       security_audit_DAC_chown: no
+       security_audit_DAC_lchown: no
+       security_audit_DAC_fchmod: no
+       security_audit_DAC_fchmodat: no
+       security_audit_DAC_fchown: no
+       security_audit_DAC_fchownat: no
+       security_audit_DAC_fremovexattr: no
+       security_audit_DAC_lremovexattr: no
+       security_audit_DAC_fsetxattr: no
+       security_audit_DAC_lsetxattr: no
+       security_audit_DAC_setxattr: no
+fixes:
+  - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly
+    labeled in the auditd logs with the key of ``export-V-38568``. They are
+    now correctly logged with the key ``filesystem_mount-V-38568``.
diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2
index 2559fe9e..9d3cd9cd 100644
--- a/templates/osas-auditd.j2
+++ b/templates/osas-auditd.j2
@@ -177,10 +177,10 @@
 {% if security_audit_filesystem_mounts | bool %}
 # RHEL 6 STIG V-38568
 # Audits filesystem mounts
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
 {% endif %}
 
 {% if security_audit_deletions | bool %}