Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential error in section 4 #2

Closed
kylelundstedt opened this issue Feb 16, 2018 · 7 comments
Closed

Potential error in section 4 #2

kylelundstedt opened this issue Feb 16, 2018 · 7 comments
Assignees
@florianutz

Comments

@kylelundstedt
Copy link

Ubuntu1604-CIS/tasks/section4.yml

Line 166 in c6daa60

dest: /etc/audit/audit.rules

Are lines 164-173 an incorrect duplicate of 153-162? I'm not sure why line 166 has dest: /etc/audit/audit.rules. Thanks for checking!
@kylelundstedt
Copy link
Author

kylelundstedt commented Feb 16, 2018
edited
Loading

Hmm - hold on a sec. When I look at that folder on a running Ubuntu 16.04 instances, I see the following:

support@xxx-i04f2fe3931285439b:~$ sudo ls -la /etc/audit/rules.d
total 20
drwxr-x--- 2 root root 4096 Feb 15 13:58 .
drwxr-x--- 3 root root 4096 Feb 15 14:00 ..
-rw-r--r-- 1 root root 8454 Feb 15 13:58 osas-auditd-rhel7.rules

So, it looks like the /etc/audit/rules.d/audit.rules folder doesn't exist. Does it need to be created, or should we use the osas-auditd-rhel7.rules file?

@florianutz
Copy link
Owner

Hmmm - a little bit curious. When I start a vanilla Ubuntu 16.04 and install auditd, I see the following:

root@ip:/etc/audit# ls -lR *
-rw-r----- 1 root root  701 Jan 18  2016 auditd.conf
-rw-r----- 1 root root  373 Jan 18  2016 audit.rules

rules.d:
total 4
-rw-r----- 1 root root 373 Jan 18  2016 audit.rules

There is /etc/audit/audit.rules as well as /etc/audit/rules.d/audit.rules

@florianutz florianutz self-assigned this Feb 17, 2018
@florianutz
Copy link
Owner

I will check the duplicate code and fix it.

@kylelundstedt
Copy link
Author

kylelundstedt commented Feb 17, 2018
edited
Loading

Why do you need to create audit.rules in the Dockerfile?

Ubuntu1604-CIS/tests/Dockerfile.ubuntu-16.04

Line 41 in 11d00ed

RUN touch /etc/default/grub; touch /etc/audit/audit.rules; touch /boot/grub/grub.cfg;

florianutz pushed a commit that referenced this issue Feb 17, 2018
fixed duplicate task 4.1.13 #2
86655ea
florianutz added a commit that referenced this issue Feb 17, 2018
@florianutz
Merge pull request #3 from florianutz/dev
ae5719f 
fixed duplicate task 4.1.13  #2
@florianutz
Copy link
Owner

duplicate code is fixed.
The Dockerfile was for testing with travis. But they did some changes and it does not work anymore.
I will switch to molecule for automatic ansible role testing with the next version.

@florianutz
Copy link
Owner

All audit rules are generated correctly in /etc/audit/audit.rules by the role in my test environment.
It looks like you use a second role which creates osas-auditd-rhel7.rules
Please let me know if there are other problems with the original topic. Otherwise I would like to close the issue.

@kylelundstedt
Copy link
Author

Youre right; I ran two roles to harden the OS, which created the other audit file. Thanks for all your hard work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@florianutz florianutz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kylelundstedt @florianutz