Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some patches for review #16

Draft
wants to merge 83 commits into
base: master
Choose a base branch
from
Draft

Some patches for review #16

wants to merge 83 commits into from

Conversation

maage
Copy link

@maage maage commented Oct 10, 2022
edited

name: My modifications for review
about: Mixed, bugfixes, cleanups and changes

Describe the change
Collection of my patches for review.

Mostly my start target was to support all audit features Fedora 35 does support, or at least what I have used.

And then generate exactly the same file as F35 (and later F36-37) default was with comments and upcase/lowercase. This required to values to have default value, then none/empty value to generate default value.
I wanted to support audit rules from https://github.com/ComplianceAsCode/content/ and to do that I need to change rule generation some.

As my test has almost 200 audit rules, assert phase started to take about 10 minutes to run. I changed it to one multirule. It is not best solution as it usually does not provide exact error point and message is not best. I think these complex datastructures probably should be checked using python filter as It is only way I see to be speedy and possibility for exact error messages.

I tried to expand assert rules some. But not all combinations are tested and maybe there is some errors. It would be nice to generate config option assert rules from parameter description as they are mostly about the same but as it tries to support both yaml numbers and yaml strings it gets complex pretty fast.

Testing
This codebase is tested under F37 x64_64

audit-3.0.9-1.fc37.x86_64
ansible-6.4.0-1.fc37.noarch

As changes are extensive, most probably they fail on other distros, especially when they are missing configuration files.

@maage
Copy link
Author

maage commented Oct 10, 2022

Force push was about some string cleanup.

@maage
fix: allow ansible.cfg: inject_facts_as_vars = false
14de117
@maage
fix: assert: handle values as case insensitive
e858ba5 
from auditd.conf(5)

	All option names and values are case insensitive.
@maage
fix: assert: use module defaults to be quiet
732cddb 
No need to define this per rule over and over again.
@maage
fix: rules filters is list of strings, not string
2755ee5
@maage
change: simplify install to install all at once
7fae5bc 
This makes install slightly faster as there is one task less.
@maage
Copy link
Author

maage commented Oct 12, 2022
edited

Fixed some minor issues. Split some patches per rule.
Some testing against Debian, Ubuntu and other distros.
Small additional features. Bugfixes. Test changes.

@maage
change: add ansible-later config
8b910b0
@maage
fix: rules file perm 0640
8e41e8c 
By default rules have 0640 permissions. Meaning not word readable.
@maage
bugfix: add directories
db9f7bb
@maage
change: add assert_parameters tag for asserts
6221e4a 
- this allows to skip or select
@maage
change: assert: auditd_rules check simplify
28981b1 
Use block to group auditd_rules checking.
@maage
change: assert: auditd_rules keyname not mandatory
19a6e09
@maage
change: add variable auditd_rules_file: configure rules file
e84f3f5
@maage
change: name assert groups
129fba3
@maage
templates/auditd.conf.j2: use macro to render values
255e40a 
Also require settings and auditd_ match 1:1
@maage
change: templates/custom.rules.j2: use macros to simplify
4163a10
@maage
fix: templates/custom.rules.j2: allow rule permissions when no file o…
2dc3ead 
…r syscall
@maage
feature: support rule field comparisons, actually -C
1352a76
@maage
change: refactor default settings handling
12b34f5
@maage
change: assert not run_once as it depends on os/version
f4d4421
@maage
style: use comment in custom.rules template in style of upstream
fc70f64
@maage
change: assert: auditd_buffer_size: allow numeric variables to be str…
8cf1957 
…ings, optional

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.

There is default, no need to define unconditionally.
@maage
change: assert: auditd_fail_mode: allow numeric variables to be strin…
14bd5d4 
…gs, optional

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.

There is defaults, no need to set.
@maage
change: assert: auditd_maximum_rate: allow numeric variables to be st…
3c7dd62 
…rings, optional

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.

There is defaults and no need to define.
@maage
change: assert: auditd_enable_flag: allow numeric variables to be str…
69ae2b9 
…ings

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.

There is default, no need to define.
@maage
change: assert: auditd_freq: allow numeric variables to be strings,
0215f9e 
optional

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.
@maage
change: assert: auditd_max_log_file: allow numeric variables to be st…
2439477 
…rings, optional

Variables can be set using templating and if jinra2_native is false,
then values are always strings no matter what you do.
@maage
change: auditd.conf: add auditd_tcp_listen_port: configure tcp_listen…
c9e7868 
…_port
@maage
change: auditd.conf: add auditd_name: configure name
0238607
@maage
change: auditd.conf: add auditd_tcp_client_ports: configure tcp_clien…
e620012 
…t_ports
@maage
change: auditd.conf: add auditd_krb5_key_file: configure krb5_key_file
01eff39
@maage
change: auditd.conf: add auditd_transport: configure transport
b3f769f
@maage
change: auditd.conf: add auditd_q_depth: configure q_depth
a7eb93e
@maage
change: auditd.conf: add auditd_overflow_action: configure overflow_a…
109a56b 
…ction
@maage
change: auditd.conf: add auditd_max_restarts: configure max_restarts
9be74ae
@maage
change: auditd.conf: add auditd_plugin_dir: configure plugin_dir
1a83b62
@maage
change: auditd.conf: add auditd_end_of_event_timeout: configure end_o…
e8dd51d 
…f_event_timeout
@maage
feature: add auditd_use_upper_values as some distros use upper values…
8483698 
… in some keys
@maage
feature: add auditd_config_commented_out_settings to allow to set set…
eba7127 
…tings commented out
@maage
feature: check auditd_krb5_key_file exists with right mode if defined
b4cb0d0
@maage
feature: add auditd_backlog_wait_time
22992f9
@maage
feature: auditd_config_deprecated_settings: to always drop deprecated…
b9642db 
… settings
@maage
change: assert: much faster on auditd_rules
03b6fad
@maage
doc: add info when config was last checked
58b2cbc
@maage
feature: add auditd_molecule_container_testing variable for molecule …
361c3bd 
…testing

If you run privileged enough container, augenrules --load should
succeed, so it is wrong to test ansible_connection against containers.
Problem here is not containers. Problem is lack of privileges, when
testing normally with molecule container.
@maage
feature: add comment and comment_style fields in auditd_rule
814ad15
@maage
support: RedHat
782285b 
This was tested also with almalinux/8 and amazonlinux:2022.
@maage
support: Fedora
cfd155b 
Without local modifications create same file other than Ansible managed comment
@maage
support: Amazon
4b63e16
@maage
support: Suse
2e56dc2 
Tested with Opensuse Leap 15
@maage
support: Debian
5a5cf37
@maage
support: Ubuntu
84ca505
@maage
Copy link
Author

maage commented Oct 13, 2022
edited

I needed to implement auditd_config_deprecated_settings to skip configs that are not implement in certain auditd versions / implemented in some distros. I fixed "Load rules" to work right with molecule testing and fail if auditd can not start with tested config. I think it is essential to test that auditd actually starts with a tested configuration. Old versions do not have certain auditd.conf options and start fails. Also if value is wrong, start fails too. Because containerized test env, auditd configuration can not be tested fully as any option requiring extra capabilities fails. Also auditd can no reload configuration via netlink because of missing capabilities, so solution was to kill auditd.service and then start it again and check if it was able to start.

You will need to have these in molecule with podman to able to start auditd.

      # This enables us to test it in unprivileged container as no priority
      # boost means no nice syscall with negative parameter and no need for
      # CAP_SYS_NICE capability.
      # https://github.com/linux-audit/audit-userspace/blob/a437ce5d488d8072237dce1c3e818d41758024df/src/auditd.c#L725
      auditd_priority_boost: 0
      # This is needed in container setups as it allows auditd to start but not
      # notify and fail and die. Needed CAP_NET_AUDIT
      auditd_local_events: "no"
      # This enables us to cheat. Needed CAP_AUDIT_CONTROL
      auditd_molecule_container_testing: true

This now passes my simple test suite (not included) for all distros in line with supported platforms. I don't have docker to run existing test suite. Essentially it just sets all variable values to some value and adds one rule. I guess there should be another test with 200 rules.

Auditd / auditctl are both missing functionality to test rule / configuration file syntax. This makes implementing ansible module harder than necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@maage