Disable DAC change auditing

This patch disables all of the discretionary access control (DAC)
auditing in auditd. This should reduce the volume of logs created
during deployments and during OpenStack CI jobs.

The patch also corrects an incorrect key in the audit logs for
V-38568.

Closes-Bug: 1620849
Change-Id: I193f739647cfb7d0ce395984b51867bf6bd46cd8

defaults/main.yml

@@ -64,17 +64,17 @@ security_audit_clock_settime: yes                 # V-38527
 security_audit_clock_settimeofday: yes            # V-38522
 security_audit_clock_stime: yes                   # V-38525
 security_audit_DAC_chmod: no                      # V-38543
-security_audit_DAC_chown: yes                     # V-38545
-security_audit_DAC_lchown: yes                    # V-38558
+security_audit_DAC_chown: no                      # V-38545
+security_audit_DAC_lchown: no                     # V-38558
 security_audit_DAC_fchmod: no                     # V-38547
 security_audit_DAC_fchmodat: no                   # V-38550
-security_audit_DAC_fchown: yes                    # V-38552
-security_audit_DAC_fchownat: yes                  # V-38554
-security_audit_DAC_fremovexattr: yes              # V-38556
-security_audit_DAC_lremovexattr: yes              # V-38559
-security_audit_DAC_fsetxattr: yes                 # V-38557
-security_audit_DAC_lsetxattr: yes                 # V-38561
-security_audit_DAC_setxattr: yes                  # V-38565
+security_audit_DAC_fchown: no                     # V-38552
+security_audit_DAC_fchownat: no                   # V-38554
+security_audit_DAC_fremovexattr: no               # V-38556
+security_audit_DAC_lremovexattr: no               # V-38559
+security_audit_DAC_fsetxattr: no                  # V-38557
+security_audit_DAC_lsetxattr: no                  # V-38561
+security_audit_DAC_setxattr: no                   # V-38565
 security_audit_deletions: no                      # V-38575
 security_audit_failed_access: no                  # V-38566
 security_audit_filesystem_mounts: yes             # V-38568

doc/source/stig-notes/V-38545_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditd to log discretionary access control permission
-changes done with chown.
+**Exception**
+
+The audit rules for permission changes made with ``chown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``chown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_chown: yes

doc/source/stig-notes/V-38552_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes
-made by fchown.
+**Exception**
+
+The audit rules for permission changes made with ``fchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchown: yes

doc/source/stig-notes/V-38554_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made by
-fchownat.
+**Exception**
+
+The audit rules for permission changes made with ``fchownat`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fchownat`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fchownat: yes

doc/source/stig-notes/V-38556_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made
-by ``fremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``fremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fremovexattr: yes

doc/source/stig-notes/V-38557_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``fsetxattr``.
+**Exception**
+
+The audit rules for permission changes made with ``fsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``fsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_fsetxattr: yes

doc/source/stig-notes/V-38558_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lchown``.
+**Exception**
+
+The audit rules for permission changes made with ``lchown`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lchown`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lchown: yes

doc/source/stig-notes/V-38559_developer.rst

@@ -1,2 +1,12 @@
-Rules are added for auditing discretionary access control changes made via
-``lremovexattr``.
+**Exception**
+
+The audit rules for permission changes made with ``lremovexattr`` are disabled
+by default as they can generate an excessive amount of logs in a short period
+of time, especially during a deployment.
+
+Deployers can enable auditing for ``lremovexattr`` usage by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lremovexattr: yes

doc/source/stig-notes/V-38561_developer.rst

@@ -1,3 +1,12 @@
-Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
+**Exception**
 
-.. _lsetxattr: http://linux.die.net/man/2/lsetxattr
+The audit rules for permission changes made with ``lxsetxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes

doc/source/stig-notes/V-38565_developer.rst

@@ -1,4 +1,12 @@
-Rules are added so that all permission modifications made via `setxattr`_ are
-logged.
+**Exception**
 
-.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html
+The audit rules for permission changes made with ``setxattr`` are disabled by
+default as they can generate an excessive amount of logs in a short period of
+time, especially during a deployment.
+
+Deployers can enable auditing for ``lsetxattr`` usage by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_audit_DAC_lsetxattr: yes

releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml

@@ -0,0 +1,25 @@
+---
+upgrade:
+  - |
+    All of the discretionary access control (DAC) auditing is now disabled by
+    default. This reduces the amount of logs generated during deployments and
+    minor upgrades.  The following variables are now set to ``no``:
+
+    .. code-block:: yaml
+
+       security_audit_DAC_chmod: no
+       security_audit_DAC_chown: no
+       security_audit_DAC_lchown: no
+       security_audit_DAC_fchmod: no
+       security_audit_DAC_fchmodat: no
+       security_audit_DAC_fchown: no
+       security_audit_DAC_fchownat: no
+       security_audit_DAC_fremovexattr: no
+       security_audit_DAC_lremovexattr: no
+       security_audit_DAC_fsetxattr: no
+       security_audit_DAC_lsetxattr: no
+       security_audit_DAC_setxattr: no
+fixes:
+  - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly
+    labeled in the auditd logs with the key of ``export-V-38568``. They are
+    now correctly logged with the key ``filesystem_mount-V-38568``.

templates/osas-auditd.j2

@@ -193,12 +193,12 @@
 # RHEL 6 STIG V-38558
 # Audits DAC changes via lchown
 {% if ansible_architecture == 'ppc64le' %}
--a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
+-a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558
 {% else %}
 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
--a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
+-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
 -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
 {% endif %}
 {% endif %}
@@ -269,13 +269,13 @@
 # RHEL 6 STIG V-38568
 # Audits filesystem mounts
 {% if ansible_architecture == 'ppc64le' %}
--a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=ppc64 -S mount -F auid=0 -k export-V-38568
+-a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=ppc64 -S mount -F auid=0 -k filesystem_mount-V-38568
 {% else %}
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
--a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
+-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
 {% endif %}
 {% endif %}