Configure audit rules for privileged commands

Starting with SCE for Linux v2.0.0, a new method is introduced for auditing privileged commands. This method is designed to improve operational efficiency and prevent Puppet performance degradation. Review the changes and learn how to configure audit rules for privileged commands.

With the method introduced in v2.0.0, a custom type or provider enumerates the privileged commands on a node and generates separate resources for each audit rule. As part of the update, the cem_files_setuid fact was removed. In addition, two parameters of the cem_linux::utils::packages::linux::auditd class were deprecated: $privileged_commands_rules and $ignore_privileged_commands.

If you were using the $privileged_commands_rules parameter, you should now manage audit rules for privileged commands outside of SCE.

If you were using the $ignore_privileged_commands parameter, replace the parameter with a regular expression pattern. For example, if you configured $ignore_privileged_commands to have a value of ['postdrop', 'postqueue'], you can instead use the $privileged_commands_exclude_pattern of postdrop|postqueue.

In addition, to help optimize performance, you can configure a filter to prevent any matching paths from being included in the list of privileged commands that have rules created for them. The following example shows how to configure privileged command auditing on the Red Hat Enterprise Linux (RHEL) 8 operating system. This method filters out any privileged commands found in the /mnt directory with a regular expression pattern as a string:

sce_linux::config: 
  control_configs: 
    ensure_use_of_privileged_commands_are_collected: 
      audit_privileged_commands: true 
      privileged_commands_exclude_pattern: '^/mnt/[^/]+$'