Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TACACS] Fix auditd can't load tacplus plugin issue. #9481

Merged
merged 9 commits into from
Dec 16, 2021
Merged

[TACACS] Fix auditd can't load tacplus plugin issue. #9481

merged 9 commits into from
Dec 16, 2021

Conversation

liuh-80
Copy link
Contributor

@liuh-80 liuh-80 commented Dec 9, 2021
edited
Loading

Why I did it

  1. Fix auditd log file path, because known issue: [var-log] files/sub-folder under /var/log folder missing because SONiC mount /var/log as a RAM disk/ext4 file. #9548

  2. When SONiC change to based on bullseye, auditd version upgrade from 2.8.4 to 3.0.2, and in auditd 3.0.2 the plugin file path changed to /etc/audit/plugins.d, however the upstream auditisp-tacplus project not follow-up this change, it still install plugin config file to /etc/audit/audisp.d. so the plugin can't be launch correctly, the code change in src/tacacs/audisp/patches/0001-Porting-to-sonic.patch fix this issue.

How I did it

    Fix tacacs plugin config file path.
    Create /var/log/audit folder for auditd.

How to verify it

    Pass all UT, also run per-command acccounting UT to validate plugin loaded.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106

Description for the changelog

    Fix tacacs plugin config file path.
    Create /var/log/audit folder for auditd.

A picture of a cute animal (not mandatory but encouraged)

@liuh-80 liuh-80 changed the title Fix auditd can't load tacplus plugin issue. [TACACS] Fix auditd can't load tacplus plugin issue. Dec 9, 2021
@liuh-80
Copy link
Contributor Author

liuh-80 commented Dec 10, 2021

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@liuh-80 liuh-80 marked this pull request as ready for review December 13, 2021 05:31
@liuh-80 liuh-80 merged commit 734b1bf into sonic-net:master Dec 16, 2021
liuh-80 added a commit to liuh-80/sonic-buildimage that referenced this pull request Dec 16, 2021
@liuh-80
[TACACS] Fix auditd can't load tacplus plugin issue. (sonic-net#9481)
43b6f98 
<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
1. Fix auditd log file path, because known issue: sonic-net#9548

2. When SONiC change to based on bullseye, auditd version upgrade from 2.8.4 to 3.0.2, and in auditd 3.0.2 the plugin file path changed to /etc/audit/plugins.d, however the upstream auditisp-tacplus project not follow-up this change, it still install plugin config file to /etc/audit/audisp.d. so the plugin can't be launch correctly, the code change in src/tacacs/audisp/patches/0001-Porting-to-sonic.patch fix this issue.
#### How I did it
        Fix tacacs plugin config file path.
        Create /var/log/audit folder for auditd.

#### How to verify it
        Pass all UT, also run per-command acccounting UT to validate plugin loaded.

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
        Fix tacacs plugin config file path.
        Create /var/log/audit folder for auditd.

#### A picture of a cute animal (not mandatory but encouraged)
@liuh-80 liuh-80 added the Request for 202111 Branch For PRs being requested for 202111 branch label Dec 17, 2021
judyjoseph pushed a commit that referenced this pull request Dec 27, 2021
@liuh-80 @judyjoseph
[TACACS] Fix auditd can't load tacplus plugin issue. (#9481)
4e22831 
<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
1. Fix auditd log file path, because known issue: #9548

2. When SONiC change to based on bullseye, auditd version upgrade from 2.8.4 to 3.0.2, and in auditd 3.0.2 the plugin file path changed to /etc/audit/plugins.d, however the upstream auditisp-tacplus project not follow-up this change, it still install plugin config file to /etc/audit/audisp.d. so the plugin can't be launch correctly, the code change in src/tacacs/audisp/patches/0001-Porting-to-sonic.patch fix this issue.
#### How I did it
        Fix tacacs plugin config file path.
        Create /var/log/audit folder for auditd.

#### How to verify it
        Pass all UT, also run per-command acccounting UT to validate plugin loaded.

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
        Fix tacacs plugin config file path.
        Create /var/log/audit folder for auditd.

#### A picture of a cute animal (not mandatory but encouraged)
saiarcot895 added a commit to saiarcot895/sonic-buildimage that referenced this pull request Feb 18, 2022
@saiarcot895
[build_debian.sh]: Fix /var/log having 0750 permissions instead of 0755
fdda83c 
PR sonic-net#9481 changed auditd's log directory to be /var/log instead of
/var/log/audit, because SONiC mounts a disk image at /var/log during
runtime, and so the /var/log/audit directory might not exist (since it
would've been created during package installation, mounting another
partition at /var/log will hide it). However, for security reasons,
auditd changes the log directory to have 0750 permissions, so that not
everyone knows about the audit logs or read them.

To fix this, revert the change to auditd's log directory, and tell
systemd to create the audit log directory at runtime if it doesn't
exist. Because the disk image gets mounted during initramfs (before
systemd starts), systemd will make sure that the /var/log/audit
directory will exist.

Fixes sonic-net#9548 and sonic-net#10015

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
@saiarcot895 saiarcot895 mentioned this pull request Feb 18, 2022
Merged
6 tasks
saiarcot895 added a commit that referenced this pull request Feb 28, 2022
@saiarcot895
[build_debian.sh]: Fix /var/log having 0750 permissions instead of 07…
afa18e2 
…55 (#10031)

PR #9481 changed auditd's log directory to be /var/log instead of
/var/log/audit, because SONiC mounts a disk image at /var/log during
runtime, and so the /var/log/audit directory might not exist (since it
would've been created during package installation, mounting another
partition at /var/log will hide it). However, for security reasons,
auditd changes the log directory to have 0750 permissions, so that not
everyone knows about the audit logs or read them.

To fix this, revert the change to auditd's log directory, and tell
systemd to create the audit log directory at runtime if it doesn't
exist. Because the disk image gets mounted during initramfs (before
systemd starts), systemd will make sure that the /var/log/audit
directory will exist.

Fixes #9548 and #10015

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
judyjoseph pushed a commit that referenced this pull request Mar 7, 2022
@saiarcot895 @judyjoseph
[build_debian.sh]: Fix /var/log having 0750 permissions instead of 07…
c437cad 
…55 (#10031)

PR #9481 changed auditd's log directory to be /var/log instead of
/var/log/audit, because SONiC mounts a disk image at /var/log during
runtime, and so the /var/log/audit directory might not exist (since it
would've been created during package installation, mounting another
partition at /var/log will hide it). However, for security reasons,
auditd changes the log directory to have 0750 permissions, so that not
everyone knows about the audit logs or read them.

To fix this, revert the change to auditd's log directory, and tell
systemd to create the audit log directory at runtime if it doesn't
exist. Because the disk image gets mounted during initramfs (before
systemd starts), systemd will make sure that the /var/log/audit
directory will exist.

Fixes #9548 and #10015

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
@liuh-80 liuh-80 deleted the dev/liuh/fix_auditd_issue branch July 6, 2023 02:47
@liuh-80 liuh-80 mentioned this pull request Jul 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees
No one assigned
Labels
Included in 202111 Branch Request for 202111 Branch For PRs being requested for 202111 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@liuh-80 @qiluo-msft @judyjoseph