address comment

Signed-off-by: Mai Bui <maibui@microsoft.com>
sonic-net · Jun 18, 2024 · 653a199 · 653a199
1 parent fadc1c2
commit 653a199
Showing 1 changed file with 45 additions and 45 deletions.
diff --git a/doc/audit/SONiC_Audit_Enhancement.md b/doc/audit/SONiC_Audit_Enhancement.md
@@ -11,12 +11,15 @@
   - [2. Current Architecture Design](#2-current-architecture-design)
   - [3. High-level Design](#3-high-level-design)
     - [3.1 Design](#31-design)
-    - [3.2 Rules Review](#32-rules-review)
-          - [Table 2: Rules Review](#table-2-rules-review)
-    - [3.3 CLI design](#33-cli-design)
-    - [3.4 Timeline](#34-timeline)
-    - [3.4 Security Compliance](#34-security-compliance)
-    - [3.5 Backward Compatibility](#35-backward-compatibility)
+    - [3.2 Audit Rules Review](#32-audit-rules-review)
+          - [Table 2: Audit Rules Review](#table-2-audit-rules-review)
+    - [3.3 Configuration design](#33-configuration-design)
+      - [3.3.1 ConfigDB schema](#331-configdb-schema)
+      - [3.3.2 CLI design](#332-cli-design)
+    - [3.4 Warmboot and Fastboot Design Impact](#34-warmboot-and-fastboot-design-impact)
+    - [3.5 Timeline](#35-timeline)
+    - [3.6 Security Compliance](#36-security-compliance)
+    - [3.7 Backward Compatibility](#37-backward-compatibility)
   - [4. Testing Requirements/Design](#4-testing-requirementsdesign)
     - [4.1 Unit Test cases](#41-unit-test-cases)
           - [Table 3: Unit Test cases](#table-3-unit-test-cases)
@@ -36,15 +39,12 @@
 | 0.1 | 06/14/2024  | Mai Bui            | Initial version                   |
 
 ## Scope
-
 This section describes the audit enhancement high-level design in SONiC.
 
 ## 1. Overview
-
 This design aims to enhance the auditing capabilities within SONiC operating system using audit daemon (auditd). Auditing is the process of recording and analyzing the events that occur on the device. Auditing can help to detect unauthorized access, configuration changes, malicious activity, or system errors. Auditing can also provide evidence for forensic investigations, compliance audits, or incident response.
 
 ## 2. Current Architecture Design
-
 In SONiC, audit settings are centrally managed through a configuration file at `/etc/audit/auditd.conf`. Upon system startup, SONiC automatically compiles audit rules from the `/etc/audit/rules.d/` directory into a single file, `/etc/audit/audit.rules`, which auditd then loads. Here is a brief look at the relevant files:
 - `/etc/audit/auditd.conf` - Main configuration file.
 - `/etc/audit/audit.rules` - Loaded at startup, compiled from the individual rules in the rules.d directory.
@@ -53,20 +53,20 @@ In SONiC, audit settings are centrally managed through a configuration file at `
   - `audit.rules`
 
 ## 3. High-level Design
-
 ### 3.1 Design
-
 - Introduce a new file, `custom-audit.rules`, into the `/etc/audit/rules.d/` directory.
 - Additionally, the `/etc/audit/plugins.d/syslog.conf` is modified (by setting `active = yes`) to enable sending auditd logs to a syslog server.
-- CLI commands enhancement:
-  - `config audit enable <name>.rules`
-  - `config audit disable <name>.rules`
-
-### 3.2 Rules Review
-###### Table 2: Rules Review
+- ConfigDB schema design
+- CLI commands enhancement
+  - `config audit enable`
+  - `config audit disable`
+  - `show audit`
+
+### 3.2 Audit Rules Review
+###### Table 2: Audit Rules Review
 | Rule name | Details |
 |--------------------------|--------------------------|
-| Process audit            | `-a never,exit -F path=/usr/bin/runc -F perm=x`<br>`-a never,exit -F path=/usr/bin/python* -F perm=x`<br>`-a never,exit -F path=/usr/bin/docker -F perm=x` |
+| Process audit            | `sudo auditctl -d never,exit -F path=/usr/bin/docker  -F key=process_audit`<br>`sudo auditctl -d never,exit -F path=/usr/bin/dockerd  -F key=process_audit`<br>`sudo auditctl -d never,exit -F path=/usr/bin/containerd -F key=process_audit`<br>`sudo auditctl -d never,exit -F path=/usr/bin/runc -F perm=x`<br>`sudo auditctl -d never,exit -F path=/usr/bin/python* -F perm=x`<br>`sudo auditctl -d exit,always -F arch=b64 -S execve -F key=process_audit`<br>`sudo auditctl -d exit,always -F arch=b32 -S execve -F key=process_audit` |
 | File deletion            | `-a exit,always -F arch=b64 -S unlink -S unlinkat -F key=file_deletion`<br>`-a exit,always -F arch=b32 -S unlink -S unlinkat -F key=file_deletion` |
 | Critical files changes   | `-w /etc/passwd -p wa -k passwd_changes`<br>`-w /etc/shadow -p wa -k shadow_changes`<br>`-w /etc/group -p wa -k group_changes`<br>`-w /etc/sudoers -p wa -k sudoers_changes`<br>`-w /etc/hosts -p wa -k hosts_changes` |
 | auth.log changes         | `-w /var/log/auth.log -p wa -k auth_logs` |
@@ -82,28 +82,31 @@ In SONiC, audit settings are centrally managed through a configuration file at `
 | Log changes              | `-w /var/log -p wa -k log_changes` |
 | Docker related           | `-w /usr/bin/dockerd -p wa -k docker_daemon`<br>`-w /etc/docker/daemon.json -p wa -k docker_config`<br>`-w /lib/systemd/system/docker.service -p wa -k docker_service`<br>`-w /lib/systemd/system/docker.socket -p wa -k docker_socket`<br>`-a always,exit -F arch=b64 -S execve -F path=/usr/bin/docker -k docker_commands`<br>`-w /var/lib/docker/ -p wa -k docker_storage`<br>`-a always,exit -F arch=b64 -S execve -F path=/usr/bin/docker -k network_activity`<br>`-a always,exit -F arch=b64 -S setuid,setgid,bind,connect -F comm="/usr/bin/docker" -k docker_sys` |
 
-### 3.3 CLI design
-
-CLI commands enhancement:
-- `config audit enable <name>.rules` - enables all rules in the `<name>.rules` file, in specific, it copies the `<name>.rules` from `/usr/share/sonic/templates/` to `/etc/audit/rules.d/` and restart audit service.
-- `config audit disable <name>.rules` - removes the `<name>.rules` and disable all rules in <name>.rules and restart audit service.
-
+### 3.3 Configuration design
+#### 3.3.1 ConfigDB schema
 ```
-admin@sonic# config audit
-Usage: config [OPTIONS] COMMAND [ARGS]...
-  SONiC command line - 'config' command
-Options:
-  -?, -h, --help  Show this message and exit.
-Commands:
-  ...
-  enable          Enable <name>.rules rules
-  disable         Disable <name>.rules rules
-  ...
+{
+    "AUDIT": {
+      "global": {
+        "enable": "true"
+      }
+    }
+}
 ```
+| Key       | Description                 |
+| --------- | --------------------------- |
+| enable    | enable or not enable the FIPS, the default value is true  |
 
-### 3.4 Timeline
+#### 3.3.2 CLI design
+- `config audit enable` - enables all audit rules including existing `audisp-tacplus.rules` and new `custom-audit.rules`.
+- `config audit disable` - removes all audit rules.
+- `show audit` - show audit enabled or disabled, if enabled, show all audit current active rules.
 
-- Phase 1 (ETA: 06/28/2024)
+### 3.4 Warmboot and Fastboot Design Impact
+auditd will be stopped and then restarted as part of the reboot process, resulting in a gap in audit logs
+
+### 3.5 Timeline
+- Phase 1 (ETA: 06/28/2024, approved by security team)
   - Critical files changes
   - DNS changes
   - Time changes
@@ -112,7 +115,7 @@ Commands:
   - Modules
   - auth.log changes
   - Monitor binary directories
-- Phase 2 (ETA: 07/05/2024)
+- Phase 2 (ETA: 07/05/2024, under discussion with security team, this list may change)
   - Sudo usage
   - User group management
   - File deletion
@@ -122,28 +125,25 @@ Commands:
   - Network activity
   - Socket activity
 
-### 3.4 Security Compliance
-
+### 3.6 Security Compliance
 The new rules will be assessed with the security team to ensure compliance.
 
-### 3.5 Backward Compatibility
-
+### 3.7 Backward Compatibility
 Ensure compatibility with the 202311 branch.
 
 ## 4. Testing Requirements/Design
-
 ### 4.1 Unit Test cases
 ###### Table 3: Unit Test cases
 | Test case | Description                 |
 | --------- | --------------------------- |
 | 1         | UT for config audit enable  |
 | 2         | UT for config audit disable |
+| 3         | UT for show audit           |
 
 ### 4.2 System Test cases
 ###### Table 4: System Test cases
 | Test case | Description                 |
 | --------- | --------------------------- |
-| 1         | E2E for rule activation test - verify that enabling `<name>.rules` activates all contained rules |
-| 2         | E2E for rule deactivation test - verify that disabling `<name>.rules` effectively removes all contained rules from the active set. |
+| 1         | E2E for audit enable test|
+| 2         | E2E for audit disable test|
 | 3         | E2E for log test - verify that audit accurately send logs to syslog server. |
-