Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource/auditd_rules: update rule list format #309

Closed
arlimus opened this issue Dec 10, 2015 · 5 comments
Closed

resource/auditd_rules: update rule list format #309

arlimus opened this issue Dec 10, 2015 · 5 comments
Labels
Aspect: Docs Write the Fine Manual Type: Bug Feature not working as expected
Milestone
0.11.0

Comments

@arlimus
Copy link
Contributor

arlimus commented Dec 10, 2015

See: https://docs.chef.io/inspec_reference.html

describe auditd_rules do
  its('LIST_RULES') { should eq [
    'exit,always syscall=rmdir,unlink',
    'exit,always auid=1001 (0x3e9) syscall=open',
    'exit,always watch=/etc/group perm=wa',
    'exit,always watch=/etc/passwd perm=wa',
    'exit,always watch=/etc/shadow perm=wa',
    'exit,always watch=/etc/sudoers perm=wa',
    'exit,always watch=/etc/secret_directory perm=r',
  ] }
end

it should be always,exit?
@arlimus arlimus added Type: Bug Feature not working as expected Aspect: Docs Write the Fine Manual labels Dec 10, 2015
@chris-rock chris-rock added this to the 0.9.10 milestone Jan 19, 2016
@srenatus
Copy link
Contributor

Actually, our mock does not at all resemble what CentOS 7.1. auditctl -l returns:

[vagrant@default-centos-71 ~]$ sudo /sbin/auditctl -l
-a always,exit -F arch=b32 -S open,openat -F exit=-EACCES -F key=access

@srenatus
Copy link
Contributor

https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-October/006237.html This is how/when it happened.

@srenatus
Copy link
Contributor 

[root@default-centos-67 audit-2.3.7]# auditctl -l
-w /var/log/audit/ -p rwxa -k LOG_audit
-w /etc/audit/ -p wa -k CFG_audit
-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
-w /etc/audisp/ -p wa -k CFG_audisp
-a always,exit -F arch=i386 -S mknod,mknodat
-a always,exit -F arch=x86_64 -S mknod,mknodat

Looks like the old syntax is gone. auditd_rules needs an update.

@srenatus srenatus changed the title Auditd_conf documentation: action and exit are in reverse resource/auditd_rules: update rule list format Jan 21, 2016
@srenatus srenatus mentioned this issue Jan 22, 2016
Closed
@chris-rock chris-rock modified the milestones: 0.9.11, 0.9.10 Jan 25, 2016
@srenatus srenatus mentioned this issue Jan 29, 2016
Merged
@chris-rock chris-rock modified the milestones: 0.9.12, 0.9.11, 0.9.13 Jan 29, 2016
@chris-rock
Copy link
Contributor

@arlimus @srenatus is this done?

@srenatus
Copy link
Contributor

srenatus commented Feb 9, 2016

@chris-rock yup 😄

@srenatus srenatus closed this as completed Feb 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Aspect: Docs Write the Fine Manual Type: Bug Feature not working as expected
Projects
None yet
Milestone
0.11.0
Development

No branches or pull requests
3 participants
@srenatus @chris-rock @arlimus