Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use auditctl to load new rules #15

Closed
wants to merge 3 commits into from
Closed

Use auditctl to load new rules #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4ab7513
The "auditd" package name is the exception, not the rule
chewi Jan 23, 2015
840c97b
Use auditctl to load new rules
chewi Jan 23, 2015
63faedd
The stig rules are not compatible with Ubuntu
chewi Jan 23, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions .kitchen.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,29 +5,35 @@ driver:
platforms:
- name: ubuntu-12.04
run_list:
- recipe[apt]
- recipe[apt]
- name: ubuntu-10.04
run_list:
- recipe[apt]
- recipe[apt]
- name: centos-7.0
run_list:
- recipe[yum]
- name: centos-6.4
run_list:
- recipe[yum]
- recipe[yum]
- name: centos-5.10
run_list:
- recipe[yum]
- recipe[yum]

suites:
- name: default
run_list:
- recipe[auditd]
- recipe[auditd]

- name: rules
run_list:
- recipe[auditd::rules]
- recipe[auditd::rules]

- name: stig-rules
run_list:
- recipe[auditd::rules]
- recipe[auditd::rules]
attributes:
auditd:
ruleset: "stig"
excludes:
- ubuntu-12.04
- ubuntu-10.04
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If stig doesn't work on ubuntu, you should pick another ruleset otherwise the ruleset attribute won't be tested on ubuntu with these excludes. :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you read the whole commit message, you'll see I discovered that none of
the other built in rules are compatible with Ubuntu either.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cis.rules does't work? default.rules doesn't work?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You still need to test rulesets even if the bulletins don't work :p

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still tests Ubuntu against the "rules" recipe, which uses default.rules. I only excluded it from the built-ins.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, guess that is probably fine then

34 changes: 24 additions & 10 deletions providers/builtins.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,33 @@

# provider for installing audit templates provided by auditd package

include Chef::Mixin::ShellOut

action :create do
case node['platform_family']
when 'gentoo'
version = shell_out!('portageq best_version / sys-process/audit').stdout.chomp.sub('sys-process/audit-', '')
data = shell_out!('bzcat', "/usr/share/doc/audit-#{version}/contrib/#{new_resource.name}.rules.bz2").stdout
when 'rhel'
auditd_version = `/sbin/aureport -v`.split(' ').last

remote_file '/etc/audit/audit.rules' do
source "file:///usr/share/doc/audit-#{auditd_version}/#{new_resource.name}.rules"
notifies :restart, 'service[auditd]'
end
version = shell_out!('/sbin/aureport -v').stdout.split.last
data = ::File.read("/usr/share/doc/audit-#{version}/#{new_resource.name}.rules")
when 'fedora'
data = ::File.read("/usr/share/doc/audit/#{new_resource.name}.rules")
when 'suse'
data = ::File.read("/usr/share/doc/packages/audit/#{new_resource.name}.rules")
when 'debian'
require 'zlib'
data = Zlib::GzipReader.open("/usr/share/doc/auditd/examples/#{new_resource.name}.rules.gz", &:read)
when 'arch', 'slackware'
fail NotImplementedError, node['platform'] + ' does not install the built in rules'
else
execute "installing ruleset #{new_resource.name}" do
command "zcat /usr/share/doc/auditd/examples/#{new_resource.name}.rules.gz > /etc/audit/audit.rules"
notifies :restart, 'service[auditd]'
end
fail NotImplementedError, 'cannot find the built in rules on this platform'
end

f = file '/etc/audit/audit.rules' do
content data
notifies :run, 'execute[auditctl -R]', :immediately
end

new_resource.updated_by_last_action(f.updated_by_last_action?)
end
7 changes: 5 additions & 2 deletions providers/ruleset.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@
#

# provider for installing audit rules from a template

action :create do
template '/etc/audit/audit.rules' do
t = template '/etc/audit/audit.rules' do
source "#{new_resource.name}.erb"
notifies :restart, resources(service: 'auditd')
notifies :run, 'execute[auditctl -R]', :immediately
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI switching this will probably break the usage of the init.d script on debian systems

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which breaks backwards compatibility for those who have customized /etc/default/auditd

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please substantiate your claims.

The init.d script is still used to start auditd and so /etc/default/auditd is still used for EXTRAOPTIONS and USE_AUGENRULES on start, though the latter isn't really compatible with the cookbook anyway.

The cookbook will never and should never attempt to stop auditd so AUDITD_CLEAN_STOP and AUDITD_STOP_DISABLE will not be used in this context. That doesn't prevent them from being used on shutdown or if auditd is stopped manually.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am working on a PR to bring this cookbook into compliance with the 2.3 changes (moving from a single file to multiple rule files) and the USE_AUGENRULES flag is needed on debian systems to turn the rules.d usage on.

Your change will just get reverted in my PR :p

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admittedly I am not yet overly familiar with auditd and was not aware of a push towards augenrules. It is a useful feature but I figured that Chef's flexibility negated the need for it. Feel free to add support for it and I will adjust this pull request accordingly but please do not throw false accusations around when my changes were correct for the cookbook in its current state. You may be trying to be funny but it isn't coming off very well.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its easier to build it into the cookbook than have people create wrapper cookbooks :)
thanks!

end

new_resource.updated_by_last_action(t.updated_by_last_action?)
end
17 changes: 10 additions & 7 deletions recipes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,18 @@
#

case node['platform_family']
when 'rhel'
package 'audit'
when 'fedora'
package 'audit'
else
when 'debian'
package 'auditd'
else
package 'audit'
end

service 'auditd' do
supports [:restart, :reload, :status]
action :enable
supports [:reload, :status]
action [:enable, :start]
end

execute 'auditctl -R' do
command 'auditctl -R /etc/audit/audit.rules'
action :nothing
end