Closed jschripsema closed 7 years ago
Big bummer. Confirming above that with (at least) 1.0.1 that this does not work on RHEL 7.x. The following writes out /etc/audit/audit.rules
with the CIS rules, then ExecStartPost=-/sbin/augenrules --load
in the systemd service unit file trashes them:
include_recipe 'auditd::default'
auditd_ruleset 'cis.rules' do
cookbook 'auditd'
end
The fix is to write the rules out to (as @jschripsema has said) /etc/audit/rules.d/something
Here's a quick workaround for those hitting this issue before a fix happens. Change your source
in the template block and/or the cookbook
appropriately.
include_recipe 'auditd::default'
# See: https://github.com/chef-cookbooks/auditd/issues/30
#
# The community cookbook does not have proper support for
# RHEL/CentOS 7.x yet, so we can't use this:
#
# auditd_ruleset 'cis.rules' do
# cookbook 'auditd'
# end
#
# Instead, we just duplicate the `auditd_ruleset` provider
# code from the cookbook and modify it for our immediate
# needs on 7.x. We can still reference the auditd cookbook's
# template for rules' template source files though.
template '/etc/audit/rules.d/audit.rules' do
only_if { node['platform_family'] == 'rhel' && node['platform_version'].to_i >= 7 }
source 'cis.rules.erb'
cookbook 'auditd'
notifies :restart, 'service[auditd]'
end
If someone wants to dig in on getting proper cross platform support in the updated custom resources we'd gladly merge that in
@tas50 -- I got you chief
Confirmed that #33 fixes this for me. Thanks!
The /etc/audit/audit.rules file is controlled by augenrules and the rules files in /etc/audit/rules.d/
However, the path is hardcoded and not overridable.
On RHEL 7 systems, we should write to /etc/audit/rules.d/audit.rules