[Docs] Refactor auditd rules

This patch adds documentation for:

  https://review.openstack.org/397334

Implements: blueprint security-rhel7-stig
Change-Id: I5dc47cae51321c35592451030c54b2875c46be45

doc/metadata/rhel7/RHEL-07-030380.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030380
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``chown`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_chown: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030381.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030381
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fchown`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fchown: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030382.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030382
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``lchown`` syscalls are audited, but this change
+creates a significant increase in logging on most systems. This increase can
+cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_lchown: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030383.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030383
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fchownat`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fchownat: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030390.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030390
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``chmod`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_chmod: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030391.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030391
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fchmod`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fchmod: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030392.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030392
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fchmodat`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fchmodat: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030400.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030400
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``setxattr`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_setxattr: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030401.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030401
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fsetxattr`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fsetxattr: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030402.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030402
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``lsetxattr`` syscalls are audited, but this change
+creates a significant increase in logging on most systems. This increase can
+cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_lsetxattr: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030403.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030403
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``removexattr`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_removexattr: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030404.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030404
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``fremovexattr`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_fremovexattr: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030405.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-030405
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that all ``lremovexattr`` syscalls are audited, but this
+change creates a significant increase in logging on most systems. This increase
+can cause some systems to run out of disk space for logs.
+
+.. warning::
+
+    This rule is disabled by default to avoid high CPU usage and disk space
+    exhaustion. Deployers should only enable this rule if they have tested it
+    thoroughly in a non-production environment with system health monitoring
+    enabled.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_lremovexattr: yes
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030420.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030420
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``creat`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_creat: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030421.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030421
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``open`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_open: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030422.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030422
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``openat`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_openat: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030423.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030423
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``open_by_handle_at`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_open_by_handle_at: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030424.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030424
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``truncate`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_truncate: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030425.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-030425
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all ``ftruncate`` syscalls on the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_ftruncate: no
+
+This rule is compatible with x86, x86_64, and ppc64 architectures.

doc/metadata/rhel7/RHEL-07-030441.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-030441
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit any time the the ``semanage`` command is used.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_semanage: no

doc/metadata/rhel7/RHEL-07-030442.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-030442
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit any time the the ``setsebool`` command is used.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_setsebool: no

doc/metadata/rhel7/RHEL-07-030443.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030443
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``chcon`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_chcon: no

doc/metadata/rhel7/RHEL-07-030444.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-030444
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The tasks add a rule to auditd that logs each time the ``restorecon`` command
+is used.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_restorecon: no

doc/metadata/rhel7/RHEL-07-030490.rst

@@ -4,4 +4,9 @@ status: not implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Rules are added to audit all successful and unsuccessful account access events.
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_account_access: no

doc/metadata/rhel7/RHEL-07-030670.rst

@@ -4,10 +4,9 @@ status: implemented
 tag: auditd
 ---
 
-The tasks add a rule to auditd that logs each time the ``init_module`` command
-is used.
+Rules are added to audit all ``init_module`` syscalls on the system.
 
-Deployers can opt-out of this change by setting an Ansible variable:
+Deployers can opt out of this change by setting an Ansible variable:
 
 .. code-block:: yaml
 

doc/metadata/rhel7/RHEL-07-030671.rst

@@ -4,10 +4,9 @@ status: implemented
 tag: auditd
 ---
 
-The tasks add a rule to auditd that logs each time the ``delete_module``
-command is used.
+Rules are added to audit all ``delete_module`` syscalls on the system.
 
-Deployers can opt-out of this change by setting an Ansible variable:
+Deployers can opt out of this change by setting an Ansible variable:
 
 .. code-block:: yaml
 

doc/metadata/rhel7/RHEL-07-030750.rst

@@ -4,10 +4,9 @@ status: implemented
 tag: auditd
 ---
 
-The tasks add a rule to auditd that logs each time the ``rename`` command is
-used.
+Rules are added to audit all ``rename`` syscalls on the system.
 
-Deployers can opt-out of this change by setting an Ansible variable:
+Deployers can opt out of this change by setting an Ansible variable:
 
 .. code-block:: yaml
 

doc/metadata/rhel7/RHEL-07-030751.rst

@@ -4,10 +4,9 @@ status: implemented
 tag: auditd
 ---
 
-The tasks add a rule to auditd that logs each time the ``renameat`` command is
-used.
+Rules are added to audit all ``renameat`` syscalls on the system.
 
-Deployers can opt-out of this change by setting an Ansible variable:
+Deployers can opt out of this change by setting an Ansible variable:
 
 .. code-block:: yaml
 

doc/metadata/rhel7/RHEL-07-030752.rst

@@ -4,10 +4,9 @@ status: implemented
 tag: auditd
 ---
 
-The tasks add a rule to auditd that logs each time the ``rmdir`` command is
-used.
+Rules are added to audit all ``rmdir`` syscalls on the system.
 
-Deployers can opt-out of this change by setting an Ansible variable:
+Deployers can opt out of this change by setting an Ansible variable:
 
 .. code-block:: yaml