feat(audit): add AWS encryption provider audit rules and update encryption provider script
This commit is contained in:
@@ -10,6 +10,6 @@ auditd_mode: 1
|
||||
auditd_num_logs: 5
|
||||
auditd_space_left: 75
|
||||
auditd_space_left_action: email
|
||||
auditd_encryption_kms_socket:
|
||||
grub_audit_backlog_cmdline: audit_backlog_limit=8192
|
||||
grub_audit_cmdline: audit=1
|
||||
...
|
||||
|
||||
@@ -150,6 +150,11 @@
|
||||
-w /usr/sbin/runc -p rwxa -k docker
|
||||
-w /var/run/docker.sock -p rwxa -k docker
|
||||
|
||||
{% if auditd_encryption_kms_socket is defined %}
|
||||
# AWS encryption provider
|
||||
-w {{ auditd_encryption_kms_socket | dirname }} -p rwxa -k aws-encryption-provider
|
||||
{% endif %}
|
||||
|
||||
# Group modifications
|
||||
-w /etc/group -p wa -k group-modification
|
||||
-w /etc/gshadow -p wa -k group-modification
|
||||
|
||||
@@ -3,4 +3,6 @@
|
||||
# Managed by Ansible.
|
||||
export AWS_ACCESS_KEY_ID={{ encryption_aws_access_key_id }}
|
||||
export AWS_SECRET_ACCESS_KEY={{ encryption_aws_secret_access_key }}
|
||||
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
|
||||
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null
|
||||
/usr/local/bin/aws-encryption-provider --key={{ encryption_kms_arn }} --region={{ encryption_kms_region }} --listen={{ encryption_kms_socket }}
|
||||
|
||||
Reference in New Issue
Block a user