chef-cookbooks / auditd Goto Github PK

View Code? Open in Web Editor NEW

33.0 10.0 39.0 156 KB

Install and configure user mode auditd tools

License: Apache License 2.0

Ruby 21.32% HTML 78.68%

chef auditd cookbook hacktoberfest

auditd's People

Contributors

Stargazers

Watchers

auditd's Issues

Setting Attribute ruleset fails to produce any output

Setting node.default['auditd']['ruleset'] = 'cis' and running the auditd cookbook results in no change to the auditd rule base.

This had been working prior to the upgrade of the chefdk/chef-client.

The version of chefdk this is being tested with is.
Chef Development Kit Version: 0.15.15
chef-client version: 12.11.18
delivery version: 0.0.23 (bf89a6b776b55b89a46bbd57fcaa615c143a09a0)
berks version: 4.3.5
kitchen version: 1.10.0

Operating System targets RHEL 72 and RHEL 67

Please push new release to community site!

Please push this to the Opscode community site. Need RHEL support that is now included.

Doesn't work with RHEL/CentOS 7.x

The /etc/audit/audit.rules file is controlled by augenrules and the rules files in /etc/audit/rules.d/

However, the path is hardcoded and not overridable.

On RHEL 7 systems, we should write to /etc/audit/rules.d/audit.rules

Enable Sourcegraph

I want to use Sourcegraph for auditd code search, browsing, and usage examples. Can an admin enable Sourcegraph for this repository? Just go to https://sourcegraph.com/github.com/hw-cookbooks/auditd. (It should only take 30 seconds.)

Thank you!

CIS rules silently partial fail to be activated on Ubuntu

Cookbook version

2.3.4

Chef-client version

Platform Details

Ubuntu 18.04.3 LTS

Scenario:

Trying to apply cis.rules on Ubuntu

Steps to Reproduce:

include_recipe 'auditd::default'

auditd_ruleset 'cis.rules' do
  cookbook 'mitre-ipac-auditd'
end

Expected Result:

I expected cis.rules to work on Ubuntu

Actual Result:

The rules loaded are a partial set of cis.rules. I suspect everyone using this cookbook on Ubuntu, with the included cis.rules, is NOT auditing what they think!

m26560@ipac-ub18-tplt:~$ sudo auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
m26560@ipac-ub18-tplt:~$

My assessment is that this is because the next rule is "-w /etc/sysconfig/network -p wa -k system-locale" and this quietly fails (and short-circuits all further rule loading!) because /etc/sysconfig/network does not exist on an Ubuntu disk. There are certainly other issues further down the file.

Ubuntu 20.04 - reload not supported for unit auditd.service

The following error when updating the auditd_conf_file resource:

Recipe: auditd::default
  * service[auditd] action reload INFO: Processing service[auditd] action reload (auditd::default line 27)

    ================================================================================
    Error executing action `reload` on resource 'service[auditd]'
    ================================================================================
    
    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    Expected process to exit with [0], but received '3'
    ---- Begin output of ["/usr/bin/systemctl", "--system", "reload", "auditd"] ----
    STDOUT: 
    STDERR: Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.
    ---- End output of ["/usr/bin/systemctl", "--system", "reload", "auditd"] ----
    Ran ["/usr/bin/systemctl", "--system", "reload", "auditd"] returned 3
    
    Resource Declaration:
    ---------------------
    # In /opt/installers/chef/local-mode-cache/cache/cookbooks/auditd/recipes/default.rb
    
     27: service 'auditd' do
     28:   if platform_family?('rhel') && node['init_package'] == 'systemd' && node['platform_version'] < '7.5'
     29:     reload_command '/usr/libexec/initscripts/legacy-actions/auditd/reload'
     30:     restart_command '/usr/libexec/initscripts/legacy-actions/auditd/restart'
     31:   end
     32:   if platform_family?('rhel') && node['init_package'] == 'systemd' && node['platform_version'] >= '7.5'
    
    Compiled Resource:
    ------------------
    # Declared in /opt/installers/chef/local-mode-cache/cache/cookbooks/auditd/recipes/default.rb:27:in `from_file'
    
    service("auditd") do
      action [:enable]
      updated true
      default_guard_interpreter :default
      declared_type :service
      cookbook_name "auditd"
      recipe_name "default"
      supports {:start=>true, :stop=>true, :restart=>true, :reload=>true, :status=>true}
      service_name "auditd"
      running true
      enabled true
      masked false
    end
    
    System Info:
    ------------
    chef_version=16.1.0
    platform=ubuntu
    platform_version=20.04
    ruby=ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
    program_name=/usr/bin/cinc-client
    executable=/opt/cinc/bin/cinc-client

This seems like a more generic issue of #55
The version of auditd installed on Ubuntu 20.04 is now 1:2.8.5-2ubuntu6 (whereas the version that would be installed in Ubuntu 18.04 is 1:2.8.2-1ubuntu1.1). Running reload with systemd generates the same error:

/usr/bin/systemctl reload auditd
Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.

A similar fix looks promising:

/usr/sbin/service auditd reload
 * Reloading audit daemon auditd                                                                                           [ OK ]

CIS 4.1.14 needs to be different for RHEL7 and RHEL6

The current CIS rule set in this cookbook includes:

# CIS 4.1.14
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For RHEL6, the CIS recommendation (see here) has auid>=500

# grep delete /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Handle immutability of config

This cookbook (at least if you set the cis rules) will include -e 2 config, making the auditd config immutable.

This means that if the cookbook is run repeatedly in Chef runs; the notified restart of the auditd service will have no effect on the current config.
When auditd is configured to be immutable; a restart of the host is needed.

This cookbook should possibly do something to address this.
Maybe a warning/failure if this happens. Maybe control over the immutability through attributes.
I think we can notify the host to reboot if needed; but this should definitely be attribute controlled and disabled by default!

auditd service incorrectly stated as up-to-date

Happened to notice we were missing audit data for a bunch of our hosts (O_O...compliance requirements). Seems some RHEL update stops auditd (or crashes it) and Chef is not addressing the situation by starting it again at any point in our hourly runs. Digging in, I found the following.

Chef 13.12.3
auditd cookbook 2.3.4
RHEL 7.6

...
Recipe: auditd::default
  * yum_package[audit] action install (up to date)
  * service[auditd] action enable (up to date)
...

Here you can see that kauditd is running, but that is not auditd

[m26560@cnide-db ~]$ pgrep --exact auditd
[m26560@cnide-db ~]$ ps -ef | grep auditd
root        96     2  0 Sep26 ?        00:00:35 [kauditd]
[m26560@cnide-db ~]$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2018-12-05 04:45:20 EST; 2 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 649 (code=exited, status=0/SUCCESS)

Dec 05 04:45:20 cnide-db auditd[649]: The audit daemon is exiting.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[m26560@cnide-db ~]$

CentOS 7.5, package audit >= 2.8.4, action reload does not exist in init-script

It seems like the audit package version >= 2.8.4 for CentOS 7.x no longer supports the "reload". Using this cookbook, the service may not be installed. The error is shown below.

Also see: https://bugzilla.redhat.com/show_bug.cgi?id=1647521

       Recipe: auditd::default                                                                                                                                                                   [33/1477]
         * service[auditd] action reload

           ================================================================================
           Error executing action `reload` on resource 'service[auditd]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '3'
           ---- Begin output of /bin/systemctl --system reload auditd ----
           STDOUT:
           STDERR: Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.
           See system logs and 'systemctl status auditd.service' for details.
           ---- End output of /bin/systemctl --system reload auditd ----
           Ran /bin/systemctl --system reload auditd returned 3

           Resource Declaration:                                                                                                                                                                                     ---------------------
           # In /tmp/kitchen/cache/cookbooks/auditd/recipes/default.rb

            24: service 'auditd' do
            25:   restart_command '/usr/libexec/initscripts/legacy-actions/auditd/restart' if platform_family?('rhel') && node['init_package'] == 'systemd'
            26:   supports [:start, :stop, :restart, :reload, :status]
            27:   action :enable
            28: end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/auditd/recipes/default.rb:24:in `from_file'

           service("auditd") do
             action [:enable]
             default_guard_interpreter :default
             service_name "auditd"
             enabled true
             running true
             masked false
             pattern "auditd"
             restart_command "/usr/libexec/initscripts/legacy-actions/auditd/restart"
             declared_type :service
             cookbook_name "auditd"
             recipe_name "default"
             supports {:start=>true, :stop=>true, :restart=>true, :reload=>true, :status=>true}
           end

           System Info:
           ------------
           chef_version=14.7.17
           platform=centos
           platform_version=7.5.1804
           ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
           program_name=/opt/chef/bin/chef-client
           executable=/opt/chef/bin/chef-client

Can't specify my own template?

In case anyone has any thoughts, I'm stuck here.

I have a wrapper cookbook around auditd called rcf-auditd. It's stupid simple. The recipe where there is trouble is shown below. It's as if the template cannot be found... but there is no error. The chef-client run converges and simply puts the default audit.rules in place as if I had not specified any ruleset.

# rcf-auditd/recipes/default.rb
#
# The following file exists in rcf-auditd/templates/default/modified-CIS.erb
# Setting this to just 'cis' does in fact put the cis ruleset in place though.
node.set['auditd']['ruleset'] = 'modified-CIS'
#
include_recipe 'auditd'
# EOF

CAPP ruleset not provided on Bionic

Ran into this while running a wrapper cookbook on bionic.
According to https://reposcope.com/package/auditd/files the CAPP rules (and others) archive(s) previous available on xenial are no longer included with the auditd package.

Compare the file list for the auditd package on xenial and bionic.

For me, auditd::rules dies with the following on bionic.

Seems like the assumption is that "/usr/share/doc/auditd/examples/capp.rules.gz" exists:

Recipe: auditd::rules
  * auditd_builtins[capp] action create[2018-11-02T19:48:21+00:00] INFO: Processing auditd_builtins[capp] action create (auditd::rules line 24)

    * execute[installing ruleset capp] action run[2018-11-02T19:48:21+00:00] INFO: Processing execute[installing ruleset capp] action run (/tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/resources/builtins.rb line 35)

      [execute] gzip: /usr/share/doc/auditd/examples/capp.rules.gz: No such file or directory

      ================================================================================
      Error executing action `run` on resource 'execute[installing ruleset capp]'
      ================================================================================

      Mixlib::ShellOut::ShellCommandFailed
      ------------------------------------
      Expected process to exit with [0], but received '1'
      ---- Begin output of zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules ----
      STDOUT:
      STDERR: gzip: /usr/share/doc/auditd/examples/capp.rules.gz: No such file or directory
      ---- End output of zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules ----
      Ran zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules returned 1

      Resource Declaration:
      ---------------------
      # In /tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/resources/builtins.rb

       35:     execute "installing ruleset #{new_resource.name}" do
       36:       command "zcat /usr/share/doc/auditd/examples/#{new_resource.name}.rules.gz > /etc/audit/audit.rules"
       37:       notifies :restart, 'service[auditd]'
       38:     end
       39:   end

      Compiled Resource:
      ------------------
      # Declared in /tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/resources/builtins.rb:35:in `block in class_from_file'

      execute("installing ruleset capp") do
        action [:run]
        default_guard_interpreter :execute
        command "zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules"
        backup 5
        declared_type :execute
        cookbook_name "auditd"
        domain nil
        user nil
      end

      System Info:
      ------------
      chef_version=14.6.47
      platform=ubuntu
      platform_version=18.04
      ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
      program_name=/usr/bin/chef-client
      executable=/opt/chefdk/bin/chef-client

[2018-11-02T19:48:21+00:00] INFO: Running queued delayed notifications before re-raising exception

    ================================================================================
    Error executing action `create` on resource 'auditd_builtins[capp]'
    ================================================================================

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    execute[installing ruleset capp] (/tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/resources/builtins.rb line 35) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
    ---- Begin output of zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules ----
    STDOUT:
    STDERR: gzip: /usr/share/doc/auditd/examples/capp.rules.gz: No such file or directory
    ---- End output of zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules ----
    Ran zcat /usr/share/doc/auditd/examples/capp.rules.gz > /etc/audit/audit.rules returned 1

    Resource Declaration:
    ---------------------
    # In /tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/recipes/rules.rb

     24:   auditd_builtins 'capp'
     25: when 'lspp'

    Compiled Resource:
    ------------------
    # Declared in /tmp/packer-chef-client/local-mode-cache/cache/cookbooks/auditd/recipes/rules.rb:24:in `from_file'

    auditd_builtins("capp") do
      action [:create]
      default_guard_interpreter :default
      declared_type :auditd_builtins
      cookbook_name "auditd"
      recipe_name "rules"
    end

    System Info:
    ------------
    chef_version=14.6.47
    platform=ubuntu
    platform_version=18.04
    ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chefdk/bin/chef-client

CIS - Add configuration to /etc/audit/audit.conf

Issue found when investigating fails on CIS Compliance Profile Centos 7 & RHEL 7 controls 4.1.1.2 & 4.1.1.3.

Currently, checks are being performed on the audit.conf file for things such as:
space_left_action = email action_mail_acct = root admin_space_left_action = halt

The values in the audit.conf file is currently:
space_left_action = SYSLOG action_mail_acct = root admin_space_left_action = SUSPEND

At the moment the auditd cookbook does not currently add/change the configuration in the audit.conf file.

syntax error in 2.3.2

Introduced in #42. Fix incoming.

Chef::Mixin::Template::TemplateError
    ------------------------------------
    (erubis):73: syntax error, unexpected '~', expecting keyword_then or ';' or '\n'
    ...; if node['platform_version'] ~= /^6/
    ...                              ^
    (erubis):76: syntax error, unexpected keyword_else, expecting '}'
    '; else
       ^~~~
    (erubis):79: syntax error, unexpected keyword_end, expecting end-of-input
    '; end
       ^~~

Deprecated context -> cookbook should declare `unified_mode true` at 1 location:

Hi Team,

We have updated on last version Chef-client 17.0.242-1 and we have this issue after running.

Deprecated features used!
The auditd_builtins resource in the auditd cookbook should declare unified_mode true at 1 location:
- /opt/chef/embedded/lib/ruby/3.0.0/forwardable.rb:238:in setup_run_context' See https://docs.chef.io/deprecations_unified_mode/ for further details. The auditd_conf_file resource in the auditd cookbook should declare unified_mode trueat 1 location: - /opt/chef/embedded/lib/ruby/3.0.0/forwardable.rb:238:insetup_run_context'
See https://docs.chef.io/deprecations_unified_mode/ for further details.
The auditd_ruleset resource in the auditd cookbook should declare unified_mode true at 1 location:
- /opt/chef/embedded/lib/ruby/3.0.0/forwardable.rb:238:in `setup_run_context'
See https://docs.chef.io/deprecations_unified_mode/ for further details.

It's resources files...

If you have any information for fix this issue.

Thanks a lot.

Version 2.3.4 on supermarket fails to configure /etc/audit/auditd.conf on redhat systems

Cookbook version

2.3.4

Chef-client version

13.6.4

Platform Details

centos 7.4.1708

Scenario:

The changes detailed at 84c30ce#diff-3145628960d821e12b5cc7c0cb6d1b39 didn't make it into version 2.3.4 released on supermarket at https://supermarket.chef.io/cookbooks/auditd so berks caches version 2.3.4 of the cookbook from supermarket which doesn't have this fix.

Steps to Reproduce:

Create wrapper cookbook
add default['auditd']['ruleset'] = 'cis' to attributtes/default.rb
add include_recipe 'auditd::conf to recipes/default.rb
Add depends 'auditd', '~> 2.3.4' to metadata.rb
run berks install
configure .kitchen.yml to have a centos 7 VM
run kitchen converge centos-7

Expected Result:

/etc/audit/auditd.conf is updated when running the auditd::confrecipe on centos/redhat instead of /etc/audit/cis.auditd.

Actual Result:

Does not configure /etc/audit/auditd.conf instead configuring /etc/audit/cis.auditd

Snippet detailing the errant configuration file path

       Recipe: auditd::conf
         * auditd_conf_file[cis.auditd] action create
           * template[/etc/audit/cis.auditd] action create
             - create new file /etc/audit/cis.auditd
             - update content in file /etc/audit/cis.auditd from none to 64477b
             --- /etc/audit/cis.auditd	2019-02-06 20:40:55.410125292 +0000

Reviewing the berkshelf cache:

[[email protected]]$ cat ~/.berkshelf/cookbooks/auditd-2.3.4/resources/conf_file.rb 
#
# Cookbook:: auditd
# Resource:: auditd_conf_file
#
# Copyright:: 2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

property :cookbook, String

action :create do
  extend AuditD::Helper

  template auditd_conffile(new_resource.name) do
    source "#{new_resource.name}.conf.erb"
    cookbook new_resource.cookbook if new_resource.cookbook
    notifies :reload, 'service[auditd]'
  end
end

Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.

Running this on a RHEL 72 system from a wrapper cookbook. The rules get put in place and the package gets added but I get the following when the service is manipulated.

Recipe: auditd::default

       ================================================================================
       Error executing action `restart` on resource 'service[auditd]'
       ================================================================================

       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '4'
       ---- Begin output of /bin/systemctl restart auditd ----
       STDOUT:
       STDERR: Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.
       ---- End output of /bin/systemctl restart auditd ----
       Ran /bin/systemctl restart auditd returned 4

       Resource Declaration:
       ---------------------
       # In /tmp/kitchen/cache/cookbooks/auditd/recipes/default.rb

        27: service "auditd" do
        28:   supports [ :restart, :reload, :status ]
        29:   action :enable
        30: end

       Compiled Resource:
       ------------------
       # Declared in /tmp/kitchen/cache/cookbooks/auditd/recipes/default.rb:27:in `from_file'

       service("auditd") do
         action [:enable]
         supports {:restart=>true, :reload=>true, :status=>true}
         retries 0
         retry_delay 2
         default_guard_interpreter :default
         service_name "auditd"
         enabled true
         running true
         pattern "auditd"
         declared_type :service
         cookbook_name "auditd"
         recipe_name "default"
       end

Appears that perhaps this was not intended for use with RHEL 7 (upstart)?

Debian 9 /etc/audit/audit.rules issues

Hi,

/etc/audit/audit.rules file is overridden on each run on debian 9.

Can you please check and fix?

Thank you!

Add heavywater as collaborator on supermarket

Hi @webframp can you add heavywater and myself as collaborators on the supermarket site for this cookbook please?

add support to forward auditd to syslog

Please add support to forward auditd messeges to syslog.

I have already prepared a pull request with the changes: #49

chef-cookbooks / auditd Goto Github PK

auditd's People

Contributors

Stargazers

Watchers

Forkers

auditd's Issues

Cookbook version

Chef-client version

Platform Details

Scenario:

Steps to Reproduce:

Expected Result:

Actual Result:

Cookbook version

Chef-client version

Platform Details

Scenario:

Steps to Reproduce:

Expected Result:

Actual Result:

Recommend Projects

Recommend Topics

Recommend Org