chef-os-hardening
chef-os-hardening copied to clipboard
dev-sec
Management of auditd is missing
Tests for it are included in the linux-baseline, but we do not have any implementation within this cookbook (See #181)
Just to be sure (as this topic is totally new for me):
I'm getting these errors now
Feb 19 12:34:09 some.host.name auditctl[8645]: The audit system is disabled
Feb 19 12:34:09 some.host.name auditd[8644]: Started dispatcher: /sbin/audispd pid: 8648
Feb 19 12:34:09 some.host.name audispd[8648]: priority_boost_parser called with: 4
Feb 19 12:34:09 some.host.name audispd[8648]: max_restarts_parser called with: 10
Feb 19 12:34:09 some.host.name audispd[8648]: No plugins found, exiting
Feb 19 12:34:09 some.host.name auditd[8644]: Unable to set initial audit startup state to 'enable', exiting
Feb 19 12:34:09 some.host.name auditd[8644]: The audit daemon is exiting.
Feb 19 12:34:09 some.host.name auditctl[8711]: The audit system is disables
Is this issue here the cause of it and is #191 the solution?
@alexanderadam it looks a bit weird. Even before #191 we were just installing auditdwith its default settings, which should be fine usually
@artem-sidorenko this happened on Ubuntu xenial on a VPS. In case that makes any difference.
I purged auditd manually and reinstalled it. It fails directly. So I guess it is not related to this recipe:
$ sudo apt install auditd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
audispd-plugins
The following NEW packages will be installed:
auditd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/192 kB of archives.
After this operation, 626 kB of additional disk space will be used.
Selecting previously unselected package auditd.
(Reading database ... 49703 files and directories currently installed.)
Preparing to unpack .../auditd_1%3a2.4.5-1ubuntu2.1_amd64.deb ...
Unpacking auditd (1:2.4.5-1ubuntu2.1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu21.1) ...
Setting up auditd (1:2.4.5-1ubuntu2.1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript auditd, action "start" failed.
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mit 2018-02-21 13:36:26 CET; 15ms ago
Process: 14713 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
Process: 14712 ExecStart=/sbin/auditd -n (code=exited, status=1/FAILURE)
Main PID: 14712 (code=exited, status=1/FAILURE)
Feb 21 13:36:26 some.host.name auditd[14712]: Started dispatcher: /sbin/audispd pid: 14716
Feb 21 13:36:26 some.host.name audispd[14716]: priority_boost_parser called with: 4
dpkg: error processing package auditd (--configure):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (229-4ubuntu21.1) ...
Errors were encountered while processing:
auditd
E: Sub-process /usr/bin/dpkg returned an error code (1)
I will open another issue for making auditd optional though.
@artem-sidorenko Do you think we should stick to the official auditd cookbook and try to use that for configuration?
@chris-rock usually yes - if it works, can be easily done and saves implementation/maintenance efforts. On the other side - if our own implementation ends up in just a simple template/service/file resource, when we should avoid the dependency from my view.
@chris-rock I'm not sure how I can update his PR, or if I should make another one, but I rebased @bablakely's auditd branch onto master
https://github.com/dev-sec/chef-os-hardening/compare/master...b-dean:auditd