xcp icon indicating copy to clipboard operation
xcp copied to clipboard

Published 20 hours ago verified publisher icon xcp-ng

xcp-ng 8.2 auditd

Open r-catania opened this issue 3 years ago • 6 comments

We recently migrated from 7.6 to 8.2. We noticed that 8.2 does not support auditd anymore. That is true also for the alternate kernel. Is there a specific reason why this was disabled?
Being able to use auditd is a must for CIS controls. What is the recommended way to have audit logging for xcp-ng servers to satisfy CIS controls?

r-catania avatar Jun 13 '22 18:06 r-catania

Hi. The git history of https://github.com/xcp-ng-rpms/kernel/blame/master/SOURCES/kernel-x86_64.config shows this was changed when the kernel was updated to 4.19.19, that is in XCP-ng (and thus Citrix Hypervisor) 8.0.

I don't know the reason as the files were imported from Citrix Hypervisor 8.0's source RPMs, and all the information we have about choices that were made is the changelog in the spec file, which refers to tickets internal to Citrix. I don't see the mention of audit in the changelog. There is no public repository for the sources of the kernel RPM at Citrix, so we can't use the git commit history to get this information.

We can try to ask directly to @rosslagerwall whose name appears most frequently in the changelog around the date of the change.

Ross: do you know why CONFIG_AUDIT was removed from the kernel build configuration for Citrix Hypervisor 8.0?

stormi avatar Jun 15 '22 13:06 stormi

I think the general policy when updating the kernel config is:

  • If it can be enabled as a module, then build it as a module.
  • Else if it is a needed feature, then enable it.
  • Else disable it.

This ensures that the kernel image is not bloated with features we don't need. Since Citrix Hypervisor does not use the audit functionality and it can't be built as a module, it was disabled.

It should be fine to enable it in the config if you have users that want to use it.

rosslagerwall avatar Jun 16 '22 09:06 rosslagerwall

Thanks Ross.

stormi avatar Jun 16 '22 09:06 stormi

Are there any plans to offer a kernel with auditd enabled?

Arraylistlistlist avatar Sep 22 '23 10:09 Arraylistlistlist

We will build the kernel with auditd in XCP-ng 8.3

stormi avatar Jan 29 '24 16:01 stormi

Unfortunately, we just found out that enabling auditd changes the kernel ABI in a very large way, which breaks the compatibility with all out-of-tree kernel modules that have been built against it prior to the change.

We provide such drivers in the form of RPMs and driver disks, and third party vendors also provide such drivers, so changing the ABI can only happen next time we change the kernel version, which will not happen in XCP-ng 8.3 but rather in the next one, XCP-ng 9.0.

We can enable auditd in the alternate kernel (https://docs.xcp-ng.org/installation/hardware/#-alternate-kernel), but this is not a kernel meant for production use.

stormi avatar Jan 31 '24 14:01 stormi