feat: add auditd as an ubuntu option

[jackfrancis]

Reason for Change:

Introduces auditd package and configuration into the VHD + cloud-init implementation. Requires an explicit "auditDEnabled": true profile configuration to enable. If not enabled explicitly, we disable auditd via systemd.

Issue Fixed:

Fixes #1008

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• tested upgrade from previous version

Notes:

[acs-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #1143 into master will increase coverage by 0.13%.
The diff coverage is 98.14%.

@@            Coverage Diff             @@
##           master    #1143      +/-   ##
==========================================
+ Coverage    74.7%   74.84%   +0.13%     
==========================================
  Files         128      128              
  Lines       18236    18337     +101     
==========================================
+ Hits        13623    13724     +101     
  Misses       3829     3829              
  Partials      784      784

[jackfrancis]

Current implementation (via "ubuntu" distro) is failing thusly:

# systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-04-24 20:58:30 UTC; 2s ago
  Process: 13508 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 13507 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 13507 (code=exited, status=6)

Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: pid 0
Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: rate_limit 0
Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: backlog_limit 320
Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: lost 0
Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: backlog 0
Apr 24 20:58:30 k8s-master-16990356-0 auditctl[13508]: backlog_wait_time 15000
Apr 24 20:58:30 k8s-master-16990356-0 systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Apr 24 20:58:30 k8s-master-16990356-0 systemd[1]: Failed to start Security Auditing Service.
Apr 24 20:58:30 k8s-master-16990356-0 systemd[1]: auditd.service: Unit entered failed state.
Apr 24 20:58:30 k8s-master-16990356-0 systemd[1]: auditd.service: Failed with result 'exit-code'.

[jackfrancis]

Verified this disables auditd on the OS if not enabled vi api model:

+ ensureAuditD
+ [[ false == true ]]
+ grep auditd
+ apt list --installed

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

auditd/xenial-updates,now 1:2.4.5-1ubuntu2.1 amd64 [installed]
+ systemctlDisableAndStop auditd
+ systemctl_stop 100 5 30 auditd
+ retries=100
+ wait_sleep=5
+ timeout=30
+ svcname=auditd
++ seq 1 100
+ for i in '$(seq 1 $retries)'
+ timeout 30 systemctl daemon-reload
+ timeout 30 systemctl stop auditd
+ '[' 0 -eq 0 ']'
+ break
+ '[' 0 -ne 0 ']'
+ retrycmd_if_failure 120 5 25 systemctl disable auditd
+ retries=120
+ wait_sleep=5
+ timeout=25
+ shift
+ shift
+ shift
++ seq 1 120
+ for i in '$(seq 1 $retries)'
+ timeout 25 systemctl disable auditd
Synchronizing state of auditd.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install disable auditd
insserv: warning: current start runlevel(s) (empty) of script `auditd' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `auditd' overrides LSB defaults (0 1 6).
+ '[' 0 -eq 0 ']'
+ break
+ echo Executed '"systemctl' disable 'auditd"' 1 times

[jackfrancis]

Verified auditd is enabled via systemd when enabled via api model:

+ ensureAuditD
+ [[ true == true ]]
+ systemctlEnableAndStart auditd
+ systemctl_restart 100 5 30 auditd
+ retries=100
+ wait_sleep=5
+ timeout=30
+ svcname=auditd
++ seq 1 100
+ for i in '$(seq 1 $retries)'
+ timeout 30 systemctl daemon-reload
+ timeout 30 systemctl restart auditd
+ '[' 0 -eq 0 ']'
+ break
+ RESTART_STATUS=0
+ systemctl status auditd --no-pager -l
+ '[' 0 -ne 0 ']'
+ retrycmd_if_failure 120 5 25 systemctl enable auditd
+ retries=120
+ wait_sleep=5
+ timeout=25
+ shift
+ shift
+ shift
++ seq 1 120
+ for i in '$(seq 1 $retries)'
+ timeout 25 systemctl enable auditd
Synchronizing state of auditd.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable auditd
+ '[' 0 -eq 0 ']'
+ break
+ echo Executed '"systemctl' enable 'auditd"' 1 times
Executed "systemctl enable auditd" 1 times

[jackfrancis]

Validated via "ubuntu" distro that an enabled auditd + config produces a cluster that passes E2E.

[jackfrancis]

Validated "ubuntu-18.04" distro as well.

[jackfrancis]

Status: debug why auditd is exiting 6 after apt installation via VHD. Unable to repro using "ubuntu" distro creation flow:

$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-04-26 19:12:23 UTC; 15min ago
 Main PID: 10054 (auditd)
    Tasks: 2
   Memory: 1.1M
      CPU: 63ms
   CGroup: /system.slice/auditd.service
           └─10054 /sbin/auditd -n

Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: No rules
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: enabled 1
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: failure 1
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: pid 10054
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: rate_limit 0
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: backlog_limit 320
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: lost 0
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: backlog 1
Apr 26 19:12:23 k8s-master-15192496-0 auditctl[10055]: backlog_wait_time 15000
Apr 26 19:12:23 k8s-master-15192496-0 systemd[1]: Started Security Auditing Service.

[jackfrancis]

validated new E2E on ubuntu distros

[CecileRobertMichon]

why not apt-get purge if it's not enabled?

[jackfrancis]

Just trying to avoid more apt operations at runtime for all cluster creates. Strictly speaking it's not doing anything except taking up space on the filesystem

[CecileRobertMichon]

this seems like it's introducing more failure potential since with the existing cleanup functions we simply attempt to purge but without returning a non-zero exit code if the cleanup is unsuccessful (cleaning up an unnecessary package is arguably not critical to cluster deployment success). This breaks that pattern by saying: "return $ERR_SYSTEMCTL_START_FAIL if we can't disable and stop the service" which could fail for reason xyz.

[jackfrancis]

It's very important that we (1) ensure that auditd isn't running and (2) that it won't start after reboot, so we definitely need this validation.

[jackfrancis]

You were right all along:

#2078

:)

[jackfrancis]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[CecileRobertMichon]

lgtm