Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Management of auditd is missing #182

Open
artem-sidorenko opened this issue Nov 23, 2017 · 6 comments · May be fixed by #191

Comments

@artem-sidorenko
Copy link
Member

commented Nov 23, 2017

Tests for it are included in the linux-baseline, but we do not have any implementation within this cookbook (See #181)

@bablakely bablakely referenced a pull request that will close this issue Feb 7, 2018
@alexanderadam

This comment has been minimized.

Copy link

commented Feb 19, 2018

Just to be sure (as this topic is totally new for me):

I'm getting these errors now

Feb 19 12:34:09 some.host.name auditctl[8645]: The audit system is disabled
Feb 19 12:34:09 some.host.name auditd[8644]: Started dispatcher: /sbin/audispd pid: 8648
Feb 19 12:34:09 some.host.name audispd[8648]: priority_boost_parser called with: 4
Feb 19 12:34:09 some.host.name audispd[8648]: max_restarts_parser called with: 10
Feb 19 12:34:09 some.host.name audispd[8648]: No plugins found, exiting
Feb 19 12:34:09 some.host.name auditd[8644]: Unable to set initial audit startup state to 'enable', exiting
Feb 19 12:34:09 some.host.name auditd[8644]: The audit daemon is exiting.
Feb 19 12:34:09 some.host.name auditctl[8711]: The audit system is disables

Is this issue here the cause of it and is #191 the solution?

@artem-sidorenko

This comment has been minimized.

Copy link
Member Author

commented Feb 21, 2018

@alexanderadam it looks a bit weird. Even before #191 we were just installing auditdwith its default settings, which should be fine usually

@alexanderadam

This comment has been minimized.

Copy link

commented Feb 21, 2018

@artem-sidorenko this happened on Ubuntu xenial on a VPS. In case that makes any difference.

I purged auditd manually and reinstalled it. It fails directly. So I guess it is not related to this recipe:

$ sudo apt install auditd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  audispd-plugins
The following NEW packages will be installed:
  auditd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/192 kB of archives.
After this operation, 626 kB of additional disk space will be used.
Selecting previously unselected package auditd.
(Reading database ... 49703 files and directories currently installed.)
Preparing to unpack .../auditd_1%3a2.4.5-1ubuntu2.1_amd64.deb ...
Unpacking auditd (1:2.4.5-1ubuntu2.1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu21.1) ...
Setting up auditd (1:2.4.5-1ubuntu2.1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript auditd, action "start" failed.
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mit 2018-02-21 13:36:26 CET; 15ms ago
  Process: 14713 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 14712 ExecStart=/sbin/auditd -n (code=exited, status=1/FAILURE)
 Main PID: 14712 (code=exited, status=1/FAILURE)
Feb 21 13:36:26 some.host.name auditd[14712]: Started dispatcher: /sbin/audispd pid: 14716
Feb 21 13:36:26 some.host.name audispd[14716]: priority_boost_parser called with: 4
dpkg: error processing package auditd (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (229-4ubuntu21.1) ...
Errors were encountered while processing:
 auditd
E: Sub-process /usr/bin/dpkg returned an error code (1)

I will open another issue for making auditd optional though.

@chris-rock

This comment has been minimized.

Copy link
Member

commented May 18, 2018

Should we rely on https://github.com/chef-cookbooks/auditd for that?

gsreynolds added a commit to chef-cft/emea_demo_remediation that referenced this issue Jun 20, 2018
dev-sec/chef-os-hardening#182
Signed-off-by: Gavin Reynolds <gavin@chef.io>
@chris-rock

This comment has been minimized.

Copy link
Member

commented Jan 9, 2019

@artem-sidorenko Do you think we should stick to the official auditd cookbook and try to use that for configuration?

@artem-sidorenko

This comment has been minimized.

Copy link
Member Author

commented Mar 6, 2019

@chris-rock usually yes - if it works, can be easily done and saves implementation/maintenance efforts. On the other side - if our own implementation ends up in just a simple template/service/file resource, when we should avoid the dependency from my view.

@chris-rock chris-rock added this to Up for grabs in Hacktoberfest 2019 via automation Oct 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Hacktoberfest 2019
  
Up for grabs
3 participants
You can’t perform that action at this time.