xcp-ng 8.2 auditd - Githubissues

xcp-ng / xcp

Entry point for issues and wiki. Also contains some scripts and sources.

https://xcp-ng.org

1.26k stars 74 forks source link

xcp-ng 8.2 auditd #552

Open r-catania opened 2 years ago

r-catania commented 2 years ago

We recently migrated from 7.6 to 8.2. We noticed that 8.2 does not support auditd anymore. That is true also for the alternate kernel. Is there a specific reason why this was disabled?
Being able to use auditd is a must for CIS controls. What is the recommended way to have audit logging for xcp-ng servers to satisfy CIS controls?

stormi commented 2 years ago

Hi. The git history of https://github.com/xcp-ng-rpms/kernel/blame/master/SOURCES/kernel-x86_64.config shows this was changed when the kernel was updated to 4.19.19, that is in XCP-ng (and thus Citrix Hypervisor) 8.0.

I don't know the reason as the files were imported from Citrix Hypervisor 8.0's source RPMs, and all the information we have about choices that were made is the changelog in the spec file, which refers to tickets internal to Citrix. I don't see the mention of audit in the changelog. There is no public repository for the sources of the kernel RPM at Citrix, so we can't use the git commit history to get this information.

We can try to ask directly to @rosslagerwall whose name appears most frequently in the changelog around the date of the change.

Ross: do you know why CONFIG_AUDIT was removed from the kernel build configuration for Citrix Hypervisor 8.0?

rosslagerwall commented 2 years ago

I think the general policy when updating the kernel config is:

If it can be enabled as a module, then build it as a module.
Else if it is a needed feature, then enable it.
Else disable it.

This ensures that the kernel image is not bloated with features we don't need. Since Citrix Hypervisor does not use the audit functionality and it can't be built as a module, it was disabled.

It should be fine to enable it in the config if you have users that want to use it.

stormi commented 2 years ago

Thanks Ross.

Arraylistlistlist commented 11 months ago

Are there any plans to offer a kernel with auditd enabled?

stormi commented 7 months ago

We will build the kernel with auditd in XCP-ng 8.3

stormi commented 7 months ago

Unfortunately, we just found out that enabling auditd changes the kernel ABI in a very large way, which breaks the compatibility with all out-of-tree kernel modules that have been built against it prior to the change.

We provide such drivers in the form of RPMs and driver disks, and third party vendors also provide such drivers, so changing the ABI can only happen next time we change the kernel version, which will not happen in XCP-ng 8.3 but rather in the next one, XCP-ng 9.0.

We can enable auditd in the alternate kernel (https://docs.xcp-ng.org/installation/hardware/#-alternate-kernel), but this is not a kernel meant for production use.