Closed bdwyertech closed 5 years ago
Heres the source for the reload change -- https://github.com/linux-audit/audit-userspace/commit/85f9628c71865f966daef75c89ea86953d72931e
If I'm reading this right, will this still not work due to https://github.com/chef-cookbooks/auditd/issues/55 ?
No, this would resolve that issue as the reload action was moved out of systemd and into a helper script @isuftin
TLDR- the reasoning behind the helper scripts instead of systemd is to preserve the restart/reload invoking user's ID as systemd dbus apparently masks that... Read the discussion in the linked commit above for more info
I tested RHEL and Centos 7.5+ @rmoles
That file does not exist therefore the rules do not actually load, I added a failing inspec test here please try for yourself.
https://github.com/chef-cookbooks/auditd/commit/d7f3fa58c83e6dc3ec631c0ac69bfcb75fa3cfc6
Please point me to the CIS benchmark requiring that specific rule, the logic here still uses it if it exists but that looks like a debian path not EL
FYI this is what the Inspec control looks like.
"xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_use_of_privileged_commands_is_collected" do
title "Ensure use of privileged commands is collected"
desc "
Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.
Rationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.
"
impact 1.0
bash('find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f').stdout.split("\n").each do |privileged_command|
describe auditd do
its('lines') { should include %r(-a always,exit -S all -F path=#{privileged_command} -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged) }
end
end
end
@rmoles the auditd_conffile
helper was removed, not the resource.
auditd_conf_file
is still present. I don't believe any change is required to keep that working.
Merging manually as CI checks on this repo are not working.
Fixes:
auditd
configuration, it should never changedbus-daemon-launch-helper