Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

Add auditd package and systemd unit #1636

Merged
merged 3 commits into from
Feb 15, 2022
Merged

Conversation

JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Feb 10, 2022

Add auditd package and systemd unit

This includes the auditd binary and systemd unit as part of the
distro. While journald is also able to handle logs from the linux audit
subsystem, auditd provides audit-specific capabilities that are
necessary in deployments subject to regulatory compliance.

For one, an administrator is able to configure audit log writing policy
to ensure that logs land on disk and nothing is missed (flush). We
wouldn't want such policy through journald as it woudl sync and ensure
all logs which might be undesirable and too resource intensive. In
short, this allows us to configure different management policies for
audit logs compared to general logs.

It allows us to explicitly configure the node's reaction to errors such
as the disk beign full, the disk having other issues or space constraints.

While Flatcar is not Common Criteria certified which would require the
system to shut down if audit logs present issues (not written or
collected), some FedRAMP environments do require actions such as
notifications (which could be achieved via syslog). This can be
explicitly done with auditd as well.

How to use

[ describe what reviewers need to do in order to validate this PR ]

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)

@JAORMX JAORMX force-pushed the enable-auditd branch 2 times, most recently from 6acc028 to 92ce41f Compare February 14, 2022 11:39
@JAORMX JAORMX force-pushed the enable-auditd branch 2 times, most recently from b47a210 to a62eddd Compare February 14, 2022 12:59
@pothos
Copy link
Contributor

pothos commented Feb 15, 2022

The changelog entry needs a file like changelog/changes/2022-02-15-auditd.md with a single markdown list entry like that:

- Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing the `/etc/audit/auditd.conf` and replacing it with an own file ([PR#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636))

@JAORMX
Copy link
Contributor Author

JAORMX commented Feb 15, 2022

The changelog entry needs a file like changelog/changes/2022-02-15-auditd.md with a single markdown list entry like that:

- Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing the `/etc/audit/auditd.conf` and replacing it with an own file ([PR#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636))

Done. Thanks @pothos for all your help and patience!

@pothos
Copy link
Contributor

pothos commented Feb 15, 2022

It's a bit rough because of the downstream changes… I hope we can create an automatism soon that allows us to use unmodified Gentoo ebuild files.

@pothos
Copy link
Contributor

pothos commented Feb 15, 2022

Maybe the /etc/audit/auditd.conf file still gets created from the package installation. In this case we can add something like this:

@@ -189,6 +189,7 @@ lockdown_perms() {
 	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
 	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	rm -f  "${basedir}"/etc/audit/auditd.conf 2>/dev/null
 	:
 }

@JAORMX
Copy link
Contributor Author

JAORMX commented Feb 15, 2022

Maybe the /etc/audit/auditd.conf file still gets created from the package installation. In this case we can add something like this:

@@ -189,6 +189,7 @@ lockdown_perms() {
 	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
 	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	rm -f  "${basedir}"/etc/audit/auditd.conf 2>/dev/null
 	:
 }

Done

@pothos
Copy link
Contributor

pothos commented Feb 15, 2022

Thanks a lot, can you squash the commits?
Edit: except the changelog commit

@pothos
Copy link
Contributor

pothos commented Feb 15, 2022

Oh no… Now that I tried it again I get Error opening config file (Too many levels of symbolic links) :(
Seems we can't use the symbolic link approach to keep the file updated. Either we can try to use the copy tmpfile directive (C /target/to/create - - - - /source/to/copy see https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html), or we do a compromise then and ship the file only for new installations.

JAORMX and others added 2 commits February 15, 2022 17:43
This includes the `auditd` binary and systemd unit as part of the
distro. While journald is also able to handle logs from the linux audit
subsystem, auditd provides audit-specific capabilities that are
necessary in deployments subject to regulatory compliance.

For one, an administrator is able to configure audit log writing policy
to ensure that logs land on disk and nothing is missed (`flush`). We
wouldn't want such policy through journald as it woudl sync and ensure
all logs which might be undesirable and too resource intensive. In
short, this allows us to configure different management policies for
audit logs compared to general logs.

It allows us to explicitly configure the node's reaction to errors such
as the disk beign full, the disk having other issues or space constraints.

While Flatcar is not Common Criteria certified which would require the
system to shut down if audit logs present issues (not written or
collected), some FedRAMP environments do require actions such as
notifications (which could be achieved via syslog). This can be
explicitly done with auditd as well.

Co-authored-by: Kai Lüke <pothos@users.noreply.github.com>
Co-authored-by: Kai Lüke <pothos@users.noreply.github.com>
Copy link
Contributor

@pothos pothos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting to start it once on the built image, then we are ready to merge

@pothos pothos merged commit bf93ee3 into flatcar-archive:main Feb 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants