-
Notifications
You must be signed in to change notification settings - Fork 743
add service_auditd_enabled ignition remediation #5162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
|
@mrogers950 Do you get The OCIL macros are instructions for manual checking and verification. They are not strictly exactly what the scanner is doing. Looking up at the OVAL template for service enabled, it should pass when:
and the content does the service checks by using I remember that |
|
The probe actually does not support offline mode. It was working in offline mode in 1.3.1 due to an error. Error was fixed in 1.3.2. |
|
Probe uses DBus to communicate with systemd about modules status. In pure offline mode this would not work because we don't have the target system running. OpenShift's offline mode is different. I'd say it's a hybrid between online and offline modes, when you have your runtime knobs where they supposed to be (well, almost), but the root filesystem is elsewhere (not in '/'). We are planning to address this issue, but right now the probe is not usable. |
Planning where? If there's an internal tracker feel free to reply via e-mail instead of here. It's almost certain that we'd need a variant of this check for other rules, so it would be nice to fix the issue... |
We are planning to plan it. It is not yet even formulated. We are going to have some discussion about the whole "offline" approach and how to extend it this week. I'll make an update once we will have something. |
|
I have a vague memory of hearing / discussing that the some checks would have to be done via the MachineConfig fetched from the cluster / node. Hence the need for Is it the case that services enabled / disabled fall into this category? |
I don't think so, we don't need to fetch anything from the node to learn that a service is enabled or running. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The questions about the probe were discussed separately, it is one of the offline probes that needs fixing. However, the remediation as a whole is OK and we can merge it.
|
Ok, thanks for clarification. |
|
@mrogers950 Do you plan to make changes to this PR? As it is marked WIP. |
|
@yuumasato I've updated the PR, thanks! |
I've been testing this out but it's not working yet; First I logged into a node and ran
systemctl disable auditdto test this out. The scan runs, but there's no hit for the disabled systemd unit. I poked around for the service disable code, I noticed the following in the jinja macros:The service_disabled macro checks that the systemd unit is disabled, I was basically expecting the inverse for service_enabled, but it's a running check instead. I thought this might be why the check did not work, so I then tried killing auditd (making systemctl is-active return "inactive"), but no dice. I think I'm missing something else here..
/cc @JAORMX @jhrozek