feat: implement comprehensive auditing and logging for compliance

- Add CIS audit rules for system events monitoring
- Configure rsyslog for centralized security logging
- Implement logrotate for 365-day retention
- Add AIDE file integrity monitoring configuration

Audit Rules Coverage:
- System calls monitoring
- Privileged command execution
- File access and modification
- User/group information changes
- Network configuration changes
- Cron and service management
- Login and session events

Logging Features:
- Separate logs for security, admin, access, change events
- Rate limiting to prevent log flooding
- RFC 5424 format compliance
- Secure file permissions (0640)

File Integrity Monitoring:
- AIDE daily integrity checks
- Monitor critical system files and directories
- Exclude volatile filesystems (/proc, /sys, /tmp)
- Automated integrity verification

Compliance:
- CIS Benchmark 4.1: Audit and Accountability
- CMMC Level 3: AU domain (Audit and Accountability)
- FedRAMP Moderate: AU controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/audit/rules.d/cis-audit.rules

@@ -0,0 +1,113 @@
+# CIS Benchmark - System Audit Rules
+# Implements CIS Debian Benchmark Section 4.1.2-4.1.17
+
+# Delete all existing rules
+-D
+
+# Set buffer size
+-b 8192
+
+# Set failure mode
+-f 1
+
+# ============================================================================
+# Monitor System Calls (CIS 4.1.10-4.1.17)
+# ============================================================================
+
+# Monitor for use of administration commands (CIS 4.1.10)
+-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
+-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
+
+# Monitor for unauthorized access attempts to files (CIS 4.1.11)
+-a always,exit -F arch=b64 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+
+# Monitor for use of privileged commands (CIS 4.1.12)
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
+-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
+
+# Monitor for changes to system network configuration (CIS 4.1.13)
+-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+-a always,exit -F arch=b64 -S /etc/issue -k system-locale
+-a always,exit -F path=/etc/hosts -F perm=wa -k system-locale
+-a always,exit -F path=/etc/network/ -F perm=wa -k system-locale
+
+# Monitor for changes to user/group information (CIS 4.1.14)
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# Monitor for changes to sudoers files (CIS 4.1.15)
+-w /etc/sudoers -p wa -k identity
+-w /etc/sudoers.d/ -p wa -k identity
+
+# Monitor for changes to system scheduling (CIS 4.1.16)
+-w /etc/crontab -p wa -k cron
+-w /etc/cron.hourly/ -p wa -k cron
+-w /etc/cron.daily/ -p wa -k cron
+-w /etc/cron.weekly/ -p wa -k cron
+-w /etc/cron.monthly/ -p wa -k cron
+-w /var/spool/cron/ -p wa -k cron
+-w /etc/cron.d/ -p wa -k cron
+
+# Monitor for changes to time settings (CIS 4.1.17)
+-w /etc/localtime -p wa -k time-change
+-w /etc/timezone -p wa -k time-change
+
+# ============================================================================
+# Monitor for File Deletion by User
+# ============================================================================
+
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
+
+# ============================================================================
+# Monitor for kernel module loading
+# ============================================================================
+
+-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
+-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
+
+# ============================================================================
+# Monitor for changes to login configuration
+# ============================================================================
+
+-w /etc/login.defs -p wa -k logins
+-w /etc/securetty -p wa -k logins
+-w /var/log/faillog -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+-w /var/log/tallylog -p wa -k logins
+
+# ============================================================================
+# Monitor for system initialization
+# ============================================================================
+
+-w /etc/inittab -p wa -k init
+-w /etc/init.d/ -p wa -k init
+-w /etc/init/ -p wa -k init
+-w /etc/systemd/ -p wa -k init
+
+# ============================================================================
+# Monitor for mandatory access control (MAC) events
+# ============================================================================
+
+-w /etc/apparmor/ -p wa -k MAC-policy
+-w /etc/apparmor.d/ -p wa -k MAC-policy
+
+# ============================================================================
+# Audit Log Configuration
+# ============================================================================
+
+# Prevent auditd from being killed
+-a never,exit -F arch=b64 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
+-a never,exit -F arch=b32 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
+
+# Monitor for changes to audit configuration
+-w /etc/audit/ -p wa -k audit_config
+-w /etc/libaudit.conf -p wa -k audit_config
+-w /etc/audisp/ -p wa -k audit_config