Update Fedora controls#84
Update Fedora controls#84artem-sidorenko merged 1 commit intodev-sec:masterfrom shoekstra:fix_fedora_controls
Conversation
chris-rock
left a comment
chris-rock
left a comment
There was a problem hiding this comment.
Thank you @shoekstra What would be a good solution for the logging feature on Fedora?
| @@ -74,13 +74,14 @@ | |||
| describe package(val_syslog_pkg) do | |||
There was a problem hiding this comment.
@atomic111 @artem-sidorenko Should we accept systemd journal as a default solution here too?
| title 'Install auditd' | ||
| desc 'auditd provides extended logging capacities on recent distribution' | ||
| audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' ? 'audit' : 'auditd' | ||
| audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' || os.name == 'fedora' ? 'audit' : 'auditd' |
artem-sidorenko
left a comment
artem-sidorenko
left a comment
There was a problem hiding this comment.
@shoekstra many thanks!
@chris-rock any further remarks?
| @@ -74,13 +74,14 @@ | |||
| describe package(val_syslog_pkg) do | |||
|
@artem-sidorenko @chris-rock hi guys, what can I do to get this merged? last thing outstanding until dev-sec/chef-os-hardening#179 and be merged and all it's tests go green. |
| describe package(val_syslog_pkg) do | ||
| it { should be_installed } | ||
| end | ||
| only_if { os.name != 'fedora' } |
There was a problem hiding this comment.
@shoekstra can we have here a short comment, explaining the reason for this only_of and fedora exclusion? (its not obvious for somebody, who does not know the context and problem here)
chris-rock
left a comment
chris-rock
left a comment
There was a problem hiding this comment.
@shoekstra Thank you for the improvement. Approved once the comment requested by @artem-sidorenko is in
| end | ||
| # Fedora doesn't install with a syslogger out of the box and instead uses | ||
| # systemd journal; as there is there is no affinity towards either rsyslog | ||
| # or syslog-ng, we'll skip this check on Fedora hosts. |
There was a problem hiding this comment.
@artem-sidorenko @chris-rock here it is, all yours 👍
artem-sidorenko
left a comment
artem-sidorenko
left a comment
There was a problem hiding this comment.
@shoekstra thank you!
3 participants
The audit package on Fedora is called
auditand notauditd, so updated condition.Fedora doesn't install with a syslog package so for now skipping it, maybe more of a discussion point as then a default should be decided - either rsyslog or syslog-ng - for remediation via puppet/chef/ansible .