-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some patches for review #16
base: master
Are you sure you want to change the base?
Conversation
Force push was about some string cleanup. |
from auditd.conf(5) All option names and values are case insensitive.
No need to define this per rule over and over again.
This makes install slightly faster as there is one task less.
Fixed some minor issues. Split some patches per rule. |
By default rules have 0640 permissions. Meaning not word readable.
- this allows to skip or select
Use block to group auditd_rules checking.
Also require settings and auditd_ match 1:1
…ings, optional Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do. There is default, no need to define unconditionally.
…gs, optional Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do. There is defaults, no need to set.
…rings, optional Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do. There is defaults and no need to define.
…ings Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do. There is default, no need to define.
optional Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do.
…rings, optional Variables can be set using templating and if jinra2_native is false, then values are always strings no matter what you do.
…tings commented out
…testing If you run privileged enough container, augenrules --load should succeed, so it is wrong to test ansible_connection against containers. Problem here is not containers. Problem is lack of privileges, when testing normally with molecule container.
This was tested also with almalinux/8 and amazonlinux:2022.
Without local modifications create same file other than Ansible managed comment
Tested with Opensuse Leap 15
I needed to implement You will need to have these in molecule with podman to able to start auditd.
This now passes my simple test suite (not included) for all distros in line with supported platforms. I don't have docker to run existing test suite. Essentially it just sets all variable values to some value and adds one rule. I guess there should be another test with 200 rules. Auditd / auditctl are both missing functionality to test rule / configuration file syntax. This makes implementing ansible module harder than necessary. |
…ivileged container This enables us to test it in unprivileged container as no priority boost means no nice syscall with negative parameter and no need for CAP_SYS_NICE capability. https://github.com/linux-audit/audit-userspace/blob/a437ce5d488d8072237dce1c3e818d41758024df/src/auditd.c#L725
name: My modifications for review
about: Mixed, bugfixes, cleanups and changes
Describe the change
Collection of my patches for review.
Mostly my start target was to support all audit features Fedora 35 does support, or at least what I have used.
And then generate exactly the same file as F35 (and later F36-37) default was with comments and upcase/lowercase. This required to values to have default value, then none/empty value to generate default value.
I wanted to support audit rules from https://github.com/ComplianceAsCode/content/ and to do that I need to change rule generation some.
As my test has almost 200 audit rules, assert phase started to take about 10 minutes to run. I changed it to one multirule. It is not best solution as it usually does not provide exact error point and message is not best. I think these complex datastructures probably should be checked using python filter as It is only way I see to be speedy and possibility for exact error messages.
I tried to expand assert rules some. But not all combinations are tested and maybe there is some errors. It would be nice to generate config option assert rules from parameter description as they are mostly about the same but as it tries to support both yaml numbers and yaml strings it gets complex pretty fast.
Testing
This codebase is tested under F37 x64_64
audit-3.0.9-1.fc37.x86_64
ansible-6.4.0-1.fc37.noarch
As changes are extensive, most probably they fail on other distros, especially when they are missing configuration files.