Fix RHEL - Githubissues

chef-cookbooks / auditd

Install and configure user mode auditd tools

Apache License 2.0

34 stars 39 forks source link

Fix RHEL #53

Closed bdwyertech closed 5 years ago

bdwyertech commented 5 years ago

Fixes:

Remove incorrect path to auditd configuration, it should never change
Broken path for dbus-daemon-launch-helper
RHEL SystemD unit still doesn't have logic in it for anything other than start/stop. It uses helpers

bdwyertech commented 5 years ago

Heres the source for the reload change -- https://github.com/linux-audit/audit-userspace/commit/85f9628c71865f966daef75c89ea86953d72931e

isuftin commented 5 years ago

If I'm reading this right, will this still not work due to https://github.com/chef-cookbooks/auditd/issues/55 ?

bdwyertech commented 5 years ago

No, this would resolve that issue as the reload action was moved out of systemd and into a helper script @isuftin

TLDR- the reasoning behind the helper scripts instead of systemd is to preserve the restart/reload invoking user's ID as systemd dbus apparently masks that... Read the discussion in the linked commit above for more info

bdwyertech commented 5 years ago

I tested RHEL and Centos 7.5+ @rmoles

That file does not exist therefore the rules do not actually load, I added a failing inspec test here please try for yourself.

https://github.com/chef-cookbooks/auditd/commit/d7f3fa58c83e6dc3ec631c0ac69bfcb75fa3cfc6

Please point me to the CIS benchmark requiring that specific rule, the logic here still uses it if it exists but that looks like a debian path not EL

rmoles commented 5 years ago

FYI this is what the Inspec control looks like.

"xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_use_of_privileged_commands_is_collected" do
  title "Ensure use of privileged commands is collected"
  desc  "
    Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.

    Rationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.
  "
  impact 1.0
  bash('find / -xdev \\( -perm -4000 -o -perm -2000 \\) -type f').stdout.split("\n").each do |privileged_command|
    describe auditd do
      its('lines') { should include %r(-a always,exit -S all -F path=#{privileged_command} -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged) }
    end 
  end
end

bdwyertech commented 5 years ago

@rmoles the auditd_conffile helper was removed, not the resource.

auditd_conf_file is still present. I don't believe any change is required to keep that working.

rmoles commented 5 years ago

Merging manually as CI checks on this repo are not working.