Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use auditctl to load new rules #15

Closed
wants to merge 3 commits into from
Closed

Use auditctl to load new rules #15

wants to merge 3 commits into from

Conversation

chewi
Copy link

@chewi chewi commented Jan 23, 2015

This is essential to get this cookbook working on CentOS 7. See the commit messages for details.

On discovering that none of the built in rules work on anything but RHEL or Fedora, I realised that adding support for those other platforms may have been a bit pointless but hey-ho.

chewi added 3 commits January 23, 2015 10:40
Stopping and starting auditd is not the best way to load new rules. In
fact, the systemd unit file actually prevents you from doing
this. Debian patches this out but RHEL doesn't. auditctl can be used
instead.

We don't want this to happen on every chef-client run when handling
built in rules so use the file resource instead of the remote_file or
dumb execute resource.

Experimental support has been added for loading built in rules on
other platforms. Only Debian and CentOS has actually been tested.
/etc/sysconfig/network doesn't exist. This problem was masked until we
switched to using auditctl to load the rules. Unfortunately, none of
the other built in rules are compatible either.
attributes:
auditd:
ruleset: "stig"
excludes:
- ubuntu-12.04
- ubuntu-10.04

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If stig doesn't work on ubuntu, you should pick another ruleset otherwise the ruleset attribute won't be tested on ubuntu with these excludes. :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you read the whole commit message, you'll see I discovered that none of
the other built in rules are compatible with Ubuntu either.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cis.rules does't work? default.rules doesn't work?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You still need to test rulesets even if the bulletins don't work :p

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still tests Ubuntu against the "rules" recipe, which uses default.rules. I only excluded it from the built-ins.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, guess that is probably fine then

@chewi
Copy link
Author

chewi commented Feb 3, 2015

It's worth noting that these rulesets would probably work if they didn't reference /etc/sysconfig. It's a shame the distros haven't simply replaced these lines with something appropriate. I guess they didn't intend for you to simply use these files as-is.

source "#{new_resource.name}.erb"
notifies :restart, resources(service: 'auditd')
notifies :run, 'execute[auditctl -R]', :immediately

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI switching this will probably break the usage of the init.d script on debian systems

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which breaks backwards compatibility for those who have customized /etc/default/auditd

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please substantiate your claims.

The init.d script is still used to start auditd and so /etc/default/auditd is still used for EXTRAOPTIONS and USE_AUGENRULES on start, though the latter isn't really compatible with the cookbook anyway.

The cookbook will never and should never attempt to stop auditd so AUDITD_CLEAN_STOP and AUDITD_STOP_DISABLE will not be used in this context. That doesn't prevent them from being used on shutdown or if auditd is stopped manually.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am working on a PR to bring this cookbook into compliance with the 2.3 changes (moving from a single file to multiple rule files) and the USE_AUGENRULES flag is needed on debian systems to turn the rules.d usage on.

Your change will just get reverted in my PR :p

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admittedly I am not yet overly familiar with auditd and was not aware of a push towards augenrules. It is a useful feature but I figured that Chef's flexibility negated the need for it. Feel free to add support for it and I will adjust this pull request accordingly but please do not throw false accusations around when my changes were correct for the cookbook in its current state. You may be trying to be funny but it isn't coming off very well.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its easier to build it into the cookbook than have people create wrapper cookbooks :)
thanks!

@shortdudey123
Copy link

This also fix CentOS 6.5/6.6? i noticed it doesn't converge on anything higher then CentOS 6.4

@chewi
Copy link
Author

chewi commented Feb 3, 2015

I think I only tested CentOS 7 (and Debian) but I will give 6.6 a try tomorrow.

@shortdudey123
Copy link

thanks!

@chewi
Copy link
Author

chewi commented Feb 4, 2015

Turns out it's because Chef prepare their CentOS boxes with --excludedocs. This is true for CentOS 7 too but for some reason, the box I have still includes the docs anyway. It's not like they only added that directive recently either. I'm not sure what to do about this other than to exclude CentOS 6 from the built-in suite too. It would work fine on a real system.

@shortdudey123
Copy link

Figures, thanks for looking into that part!
:)

@isuftin
Copy link

isuftin commented Jan 13, 2016

Is there any movement on this update? Currently trying to load auditd for CIS ruleset on CentOS 7.1 and it breaks with...

================================================================================
           Error executing action `restart` on resource 'service[auditd]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '4'
           ---- Begin output of /bin/systemctl restart auditd ----
           STDOUT:
           STDERR: Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only.
           ---- End output of /bin/systemctl restart auditd ----
           Ran /bin/systemctl restart auditd returned 4

@isuftin
Copy link

isuftin commented Jan 13, 2016

Note that at the very least, any recipes calling :restart can call :reload and that should work fine. Unfortunately, the auditd cookbook hard-codes a restart once placing CIS rules.

@chewi
Copy link
Author

chewi commented Jun 12, 2017

We found that our fixes here were no longer working while the latest cookbook release now works fine so I'll close this.

@chewi chewi closed this Jun 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants