SLE15 SP4 audit_rules_augenrules broken. #9130
Conversation
SLE 15 SP4 changed how augenrules was enabled in file /usr/lib/systemd/system/auditd.service pre-SLE15 SP4 had: ExecStartPost=-/sbin/augenrules --load This changed in SLE15 SP4 to: Requires=augenrules.service Changes: shared/checks/oval/audit_rules_augenrules.xml change to allow for Requires=augenrules.service linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh These remdiations also checked for "ExecStartPost=-/sbin/augenrules --load" and were updated to allow for "Requires=augenrules.service"
|
Hi @brett060102. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: sle12 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing' differs:
--- old datastream
+++ new datastream
@@ -2,9 +2,9 @@
if rpm --quiet -q audit; then
if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
- EXECSTARTPOST_SCRIPT=$(grep '^ExecStartPost=' /usr/lib/systemd/system/auditd.service | sed 's/ExecStartPost=//')
+ IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service)
- if [[ "$EXECSTARTPOST_SCRIPT" == *"augenrules"* ]] ; then
+ if [[ "$IS_AUGENRULES" == *"augenrules"* ]] ; then
for f in /etc/audit/rules.d/*.rules ; do
sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f"
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing' differs:
--- old datastream
+++ new datastream
@@ -25,7 +25,7 @@
- restrict_strategy
- name: Check the rules script being used
- command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+ command: grep -E '^(ExecStartPost|Requires)' /usr/lib/systemd/system/auditd.service
register: check_rules_scripts_result
when: '"audit" in ansible_facts.packages'
tags: |
|
Code Climate has analyzed commit 1e1d0d2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
/retest |
|
@brett060102: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
@Mab879 Automatus CS8 / Run Tests (pull_request) and Automatus CS9 / Run Tests (pull_request) ci/prow/e2e-aws-ocp4-* tests, I can't really tell why these are failing, but does not look like it is related to my changes. |
Correct. This is being fixed in #9123.
Agreed.
I would agree, it seems to issue with the test itself. Thanks for double-checking on this. |
|
@Mab879 Thank you. How do new tags get created. We package from the tags. So, I was wondering when a tag with this change included might be created? |
We release the project every two months. The next stabilization period starts on Monday, July 18, 2022. With an expected release date of July 29, 2022. That release date may be subject to change, usually, at most we will slip by a week. We put the release dates on the milestone page as well. Thanks all for your contributions to the project! |
|
@Mab879 Thank you very much. |
SLE 15 SP4 changed how augenrules was enabled
in file /usr/lib/systemd/system/auditd.service
pre-SLE15 SP4 had:
ExecStartPost=-/sbin/augenrules --load
This changed in SLE15 SP4 to:
Requires=augenrules.service
Changes:
shared/checks/oval/audit_rules_augenrules.xml change to allow for Requires=augenrules.service
linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml
linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh
These remdiations also checked for "ExecStartPost=-/sbin/augenrules --load"
and were updated to allow for "Requires=augenrules.service"
Description:
ExecStartPost=-/sbin/augenrules --load
or
Requires=augenrules.service
to specify augenrules in /usr/lib/systemd/system/auditd.service
Rationale: