Use auditctl to load new rules #15
Conversation
Stopping and starting auditd is not the best way to load new rules. In fact, the systemd unit file actually prevents you from doing this. Debian patches this out but RHEL doesn't. auditctl can be used instead. We don't want this to happen on every chef-client run when handling built in rules so use the file resource instead of the remote_file or dumb execute resource. Experimental support has been added for loading built in rules on other platforms. Only Debian and CentOS has actually been tested.
/etc/sysconfig/network doesn't exist. This problem was masked until we switched to using auditctl to load the rules. Unfortunately, none of the other built in rules are compatible either.
| attributes: | ||
| auditd: | ||
| ruleset: "stig" | ||
| excludes: | ||
| - ubuntu-12.04 | ||
| - ubuntu-10.04 |
There was a problem hiding this comment.
If stig doesn't work on ubuntu, you should pick another ruleset otherwise the ruleset attribute won't be tested on ubuntu with these excludes. :)
There was a problem hiding this comment.
If you read the whole commit message, you'll see I discovered that none of
the other built in rules are compatible with Ubuntu either.
There was a problem hiding this comment.
cis.rules does't work? default.rules doesn't work?
There was a problem hiding this comment.
You still need to test rulesets even if the bulletins don't work :p
There was a problem hiding this comment.
It still tests Ubuntu against the "rules" recipe, which uses default.rules. I only excluded it from the built-ins.
There was a problem hiding this comment.
true, guess that is probably fine then
|
It's worth noting that these rulesets would probably work if they didn't reference /etc/sysconfig. It's a shame the distros haven't simply replaced these lines with something appropriate. I guess they didn't intend for you to simply use these files as-is. |
| source "#{new_resource.name}.erb" | ||
| notifies :restart, resources(service: 'auditd') | ||
| notifies :run, 'execute[auditctl -R]', :immediately |
There was a problem hiding this comment.
FYI switching this will probably break the usage of the init.d script on debian systems
There was a problem hiding this comment.
which breaks backwards compatibility for those who have customized /etc/default/auditd
There was a problem hiding this comment.
Please substantiate your claims.
The init.d script is still used to start auditd and so /etc/default/auditd is still used for EXTRAOPTIONS and USE_AUGENRULES on start, though the latter isn't really compatible with the cookbook anyway.
The cookbook will never and should never attempt to stop auditd so AUDITD_CLEAN_STOP and AUDITD_STOP_DISABLE will not be used in this context. That doesn't prevent them from being used on shutdown or if auditd is stopped manually.
There was a problem hiding this comment.
I am working on a PR to bring this cookbook into compliance with the 2.3 changes (moving from a single file to multiple rule files) and the USE_AUGENRULES flag is needed on debian systems to turn the rules.d usage on.
Your change will just get reverted in my PR :p
There was a problem hiding this comment.
Admittedly I am not yet overly familiar with auditd and was not aware of a push towards augenrules. It is a useful feature but I figured that Chef's flexibility negated the need for it. Feel free to add support for it and I will adjust this pull request accordingly but please do not throw false accusations around when my changes were correct for the cookbook in its current state. You may be trying to be funny but it isn't coming off very well.
There was a problem hiding this comment.
Its easier to build it into the cookbook than have people create wrapper cookbooks :)
thanks!
|
This also fix CentOS 6.5/6.6? i noticed it doesn't converge on anything higher then CentOS 6.4 |
|
I think I only tested CentOS 7 (and Debian) but I will give 6.6 a try tomorrow. |
|
thanks! |
|
Turns out it's because Chef prepare their CentOS boxes with --excludedocs. This is true for CentOS 7 too but for some reason, the box I have still includes the docs anyway. It's not like they only added that directive recently either. I'm not sure what to do about this other than to exclude CentOS 6 from the built-in suite too. It would work fine on a real system. |
|
Figures, thanks for looking into that part! |
|
Is there any movement on this update? Currently trying to load auditd for CIS ruleset on CentOS 7.1 and it breaks with... |
|
Note that at the very least, any recipes calling :restart can call :reload and that should work fine. Unfortunately, the auditd cookbook hard-codes a restart once placing CIS rules. |
|
We found that our fixes here were no longer working while the latest cookbook release now works fine so I'll close this. |
This is essential to get this cookbook working on CentOS 7. See the commit messages for details.
On discovering that none of the built in rules work on anything but RHEL or Fedora, I realised that adding support for those other platforms may have been a bit pointless but hey-ho.