From de263591ffbbb38d1699073c31cecd9a1e730b0e Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Thu, 10 Feb 2022 06:56:26 +0200 Subject: [PATCH] Add auditd package and systemd unit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This includes the `auditd` binary and systemd unit as part of the distro. While journald is also able to handle logs from the linux audit subsystem, auditd provides audit-specific capabilities that are necessary in deployments subject to regulatory compliance. For one, an administrator is able to configure audit log writing policy to ensure that logs land on disk and nothing is missed (`flush`). We wouldn't want such policy through journald as it woudl sync and ensure all logs which might be undesirable and too resource intensive. In short, this allows us to configure different management policies for audit logs compared to general logs. It allows us to explicitly configure the node's reaction to errors such as the disk beign full, the disk having other issues or space constraints. While Flatcar is not Common Criteria certified which would require the system to shut down if audit logs present issues (not written or collected), some FedRAMP environments do require actions such as notifications (which could be achieved via syslog). This can be explicitly done with auditd as well. Co-authored-by: Kai Lüke --- .../sys-process/audit/audit-3.0.6.ebuild | 29 ++++++++++--------- .../audit/files/audit-rules.tmpfiles | 11 +++---- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild index 9b96ede524..bdc585b9f2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild @@ -42,17 +42,13 @@ src_prepare() { # Disable installing sample rules so they can be installed as docs. echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null - # Flatcar: Do not build daemon stuff. - sed -e '/^SUBDIRS =/s/audisp//' \ - -i Makefile.am || die # Flatcar: Some legacy stuff is being installed when systemd # is enabled. Drop all the lines that try doing it. sed -e '/${DESTDIR}${initdir}/d' \ -e '/${DESTDIR}${legacydir}/d' \ -i init.d/Makefile.am || die # Flatcar: Do not build daemon stuff. - sed -e '/^sbin_PROGRAMS =/s/auditd//' \ - -e '/^sbin_PROGRAMS =/s/aureport//' \ + sed -e '/^sbin_PROGRAMS =/s/aureport//' \ -e '/^sbin_PROGRAMS =/s/ausearch//' \ -i src/Makefile.am || die @@ -144,6 +140,11 @@ multilib_src_install_all() { # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + # Flatcar: install sample configuration + insinto /usr/share/auditd + doins "${S}"/init.d/auditd.conf + + # Flatcar: We are not installing audisp too. # [ -f "${ED}"/sbin/audisp-remote ] && \ # dodir /usr/sbin && \ @@ -151,7 +152,6 @@ multilib_src_install_all() { # Flatcar: Do not install gentoo rules. # Gentoo rules - # insinto /etc/audit # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules # Flatcar: We are installing our own rules. insinto /usr/share/audit/rules.d @@ -160,15 +160,16 @@ multilib_src_install_all() { # doins "${FILESDIR}"/audit.rules.stop* # audit logs go here - # Flatcar: This is where auditd puts its logs. We don't have - # the daemon, so get rid of the unnecessary directory. - # keepdir /var/log/audit + keepdir /var/log/audit find "${ED}" -type f -name '*.la' -delete || die # Security lockdown_perms "${ED}" + # Flatcar: We add the systemd unit but don't enable it. + systemd_dounit init.d/auditd.service + # Flatcar: Our systemd stuff. newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf systemd_dounit "${FILESDIR}"/audit-rules.service @@ -182,11 +183,13 @@ pkg_postinst() { lockdown_perms() { # Upstream wants these to have restrictive perms. # Should not || die as not all paths may exist. - # Flatcar: No lockdown of permissions - it's probably only - # related to auditd. - # local basedir="${1}" + # Flatcar: We don't include ausearch and aureport + # so they're removed from the hardening list + local basedir="${1}" # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null - # chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit 2>/dev/null # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null + rm -f "${basedir}"/etc/audit/auditd.conf 2>/dev/null : } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles index 2c15b63d23..b7f9530cca 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles @@ -1,5 +1,6 @@ -d /etc/audit - - - - - -d /etc/audit/rules.d - - - - - -L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules -L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules +d /etc/audit 750 - - - - +C /etc/audit/auditd.conf 640 - - - /usr/share/auditd/auditd.conf +d /etc/audit/rules.d 750 - - - - +L /etc/audit/rules.d/00-clear.rules 640 - - - /usr/share/audit/rules.d/00-clear.rules +L /etc/audit/rules.d/80-selinux.rules 640 - - - /usr/share/audit/rules.d/80-selinux.rules +L /etc/audit/rules.d/99-default.rules 640 - - - /usr/share/audit/rules.d/99-default.rules