From 7e72f00f26711329c9fa554bdb0f930442a6cc57 Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Fri, 9 Jun 2023 11:43:13 +0200 Subject: [PATCH 1/5] Testing on Almalinux and Rockylinux 8/9 Signed-off-by: Artem Sidorenko Signed-off-by: Tim de Koning --- .github/workflows/test.yml | 8 ++++++++ .kitchen.do.yml | 12 ++++++++++++ .kitchen.dokken.yml | 16 ++++++++++++++++ .kitchen.yml | 4 ++++ README.md | 2 ++ 5 files changed, 42 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e43227d..9cc8c64 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -44,6 +44,10 @@ jobs: - centos-7 - centos-stream-8 - centos-stream-9 + - almalinux-8 + - almalinux-9 + - rockylinux-8 + - rockylinux-9 - oracle-7 - debian-10 - debian-11 @@ -83,6 +87,10 @@ jobs: - default-centos-7 - default-centos-stream-8 - default-centos-stream-9 + - default-almalinux-8 + - default-almalinux-9 + - default-rockylinux-8 + - default-rockylinux-9 - default-ubuntu-18-04 - default-ubuntu-20-04 - default-debian-10 diff --git a/.kitchen.do.yml b/.kitchen.do.yml index d037369..7c3939f 100644 --- a/.kitchen.do.yml +++ b/.kitchen.do.yml @@ -17,6 +17,18 @@ platforms: - name: centos-stream-9 driver_config: image: centos-stream-9-x64 +- name: almalinux-8 + driver_config: + image: almalinux-8-x64 +- name: almalinux-9 + driver_config: + image: almalinux-9-x64 +- name: rockylinux-8 + driver_config: + image: rockylinux-8-x64 +- name: rockylinux-9 + driver_config: + image: rockylinux-9-x64 - name: fedora-37 driver_config: image: fedora-37-x64 diff --git a/.kitchen.dokken.yml b/.kitchen.dokken.yml index 729b688..e1b8df1 100644 --- a/.kitchen.dokken.yml +++ b/.kitchen.dokken.yml @@ -36,6 +36,22 @@ platforms: driver: image: dokken/centos-stream-9 pid_one_command: /usr/lib/systemd/systemd +- name: almalinux-8 + driver: + image: dokken/almalinux-8 + pid_one_command: /usr/lib/systemd/systemd +- name: almalinux-9 + driver: + image: dokken/almalinux-9 + pid_one_command: /usr/lib/systemd/systemd +- name: rockylinux-8 + driver: + image: dokken/rockylinux-8 + pid_one_command: /usr/lib/systemd/systemd +- name: rockylinux-9 + driver: + image: dokken/rockylinux-9 + pid_one_command: /usr/lib/systemd/systemd - name: oracle-7 driver: image: oraclelinux:7 diff --git a/.kitchen.yml b/.kitchen.yml index 2e708a8..c5227bb 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -12,6 +12,10 @@ platforms: - name: centos-7 - name: centos-stream-8 - name: centos-stream-9 +- name: almalinux-8 +- name: almalinux-9 +- name: rockylinux-8 +- name: rockylinux-9 - name: oracle-7 - name: debian-10 - name: debian-11 diff --git a/README.md b/README.md index 96d8504..badfd99 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,8 @@ It will not: - RHEL 7 - CentOS 7 - Oracle Linux 7 +- AlmaLinux 8, 9 +- Rocky Linux 8, 9 - CentOS Stream 8, 9 - Fedora 37, 38 - OpenSuse Leap 42 From c17a2fba6e0626afe8d31447218b296255e2396a Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Fri, 9 Jun 2023 11:59:54 +0200 Subject: [PATCH 2/5] Testing on Oraclelinux 8 and 9 Signed-off-by: Artem Sidorenko Signed-off-by: Tim de Koning --- .github/workflows/test.yml | 2 ++ .kitchen.dokken.yml | 10 +++++++++- .kitchen.yml | 2 ++ README.md | 6 +++--- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9cc8c64..afa95ea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -49,6 +49,8 @@ jobs: - rockylinux-8 - rockylinux-9 - oracle-7 + - oracle-8 + - oracle-9 - debian-10 - debian-11 - fedora-37 diff --git a/.kitchen.dokken.yml b/.kitchen.dokken.yml index e1b8df1..70ca854 100644 --- a/.kitchen.dokken.yml +++ b/.kitchen.dokken.yml @@ -54,7 +54,15 @@ platforms: pid_one_command: /usr/lib/systemd/systemd - name: oracle-7 driver: - image: oraclelinux:7 + image: dokken/oraclelinux-7 + pid_one_command: /usr/lib/systemd/systemd +- name: oracle-8 + driver: + image: dokken/oraclelinux-8 + pid_one_command: /usr/lib/systemd/systemd +- name: oracle-9 + driver: + image: dokken/oraclelinux-9 pid_one_command: /usr/lib/systemd/systemd - name: debian-10 driver: diff --git a/.kitchen.yml b/.kitchen.yml index c5227bb..178ee30 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -17,6 +17,8 @@ platforms: - name: rockylinux-8 - name: rockylinux-9 - name: oracle-7 +- name: oracle-8 +- name: oracle-9 - name: debian-10 - name: debian-11 - name: fedora-37 diff --git a/README.md b/README.md index badfd99..5470dab 100644 --- a/README.md +++ b/README.md @@ -32,12 +32,12 @@ It will not: - Debian 10, 11 - Ubuntu 18.04, 20.04 -- RHEL 7 +- RHEL 7, 8, 9 - CentOS 7 -- Oracle Linux 7 +- CentOS Stream 8, 9 +- Oracle Linux 7, 8, 9 - AlmaLinux 8, 9 - Rocky Linux 8, 9 -- CentOS Stream 8, 9 - Fedora 37, 38 - OpenSuse Leap 42 - Amazon Linux 1, 2 From a198d3d52aa901b76a129f2cd366a65fafe6f5c2 Mon Sep 17 00:00:00 2001 From: Emmanuel Iturbide Date: Thu, 9 Nov 2023 19:09:31 +0100 Subject: [PATCH 3/5] Allow modification of all values in auditd template Signed-off-by: Emmanuel Iturbide Signed-off-by: Tim de Koning --- attributes/default.rb | 13 +++++++++++ recipes/auditd.rb | 38 +++++++++++++++++++------------ templates/default/auditd.conf.erb | 20 ++++++++-------- 3 files changed, 47 insertions(+), 24 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 68071a2..d0e8c6b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -252,7 +252,20 @@ end # rubocop:enable Metrics/BlockLength + + + # auditd config +default['os-hardening']['auditd']['log_file'] = '/var/log/audit/audit.log' +default['os-hardening']['auditd']['log_format'] = 'RAW' +default['os-hardening']['auditd']['max_log_file_action'] = 'keep_logs' +default['os-hardening']['auditd']['space_left'] = 75 +default['os-hardening']['auditd']['action_mail_acct'] = 'root' +default['os-hardening']['auditd']['space_left_action'] = 'EMAIL' +default['os-hardening']['auditd']['admin_space_left'] = 50 +default['os-hardening']['auditd']['admin_space_left_action'] = 'halt' +default['os-hardening']['auditd']['disk_full_action'] = 'SUSPEND' +default['os-hardening']['auditd']['disk_error_action'] = 'SUSPEND' default['os-hardening']['auditd']['flush'] = 'INCREMENTAL' default['os-hardening']['auditd']['log_group'] = 'root' default['os-hardening']['auditd']['priority_boost'] = '4' diff --git a/recipes/auditd.rb b/recipes/auditd.rb index 4dc332e..5d009b9 100644 --- a/recipes/auditd.rb +++ b/recipes/auditd.rb @@ -43,20 +43,30 @@ owner 'root' group 'root' variables( - flush: node['os-hardening']['auditd']['flush'], - log_group: node['os-hardening']['auditd']['log_group'], - priority_boost: node['os-hardening']['auditd']['priority_boost'], - freq: node['os-hardening']['auditd']['freq'], - num_logs: node['os-hardening']['auditd']['num_logs'], - disp_qos: node['os-hardening']['auditd']['disp_qos'], - dispatcher: node['os-hardening']['auditd']['dispatcher'], - name_format: node['os-hardening']['auditd']['name_format'], - max_log_file: node['os-hardening']['auditd']['max_log_file'], - tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], - tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], - tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'], - enable_krb5: node['os-hardening']['auditd']['enable_krb5'], - krb5_principal: node['os-hardening']['auditd']['krb5_principal'] + log_file: node['os-hardening']['auditd']['log_file'], + log_format: node['os-hardening']['auditd']['log_format'], + max_log_file_action: node['os-hardening']['auditd']['max_log_file_action'], + space_left: node['os-hardening']['auditd']['space_left'], + action_mail_acct: node['os-hardening']['auditd']['action_mail_acct'], + space_left_action: node['os-hardening']['auditd']['space_left_action'], + admin_space_left: node['os-hardening']['auditd']['admin_space_left'], + admin_space_left_action: node['os-hardening']['auditd']['admin_space_left_action'], + disk_full_action: node['os-hardening']['auditd']['disk_full_action'], + disk_error_action: node['os-hardening']['auditd']['disk_error_action'], + flush: node['os-hardening']['auditd']['flush'], + log_group: node['os-hardening']['auditd']['log_group'], + priority_boost: node['os-hardening']['auditd']['priority_boost'], + freq: node['os-hardening']['auditd']['freq'], + num_logs: node['os-hardening']['auditd']['num_logs'], + disp_qos: node['os-hardening']['auditd']['disp_qos'], + dispatcher: node['os-hardening']['auditd']['dispatcher'], + name_format: node['os-hardening']['auditd']['name_format'], + max_log_file: node['os-hardening']['auditd']['max_log_file'], + tcp_listen_queue: node['os-hardening']['auditd']['tcp_listen_queue'], + tcp_max_per_addr: node['os-hardening']['auditd']['tcp_max_per_addr'], + tcp_client_max_idle: node['os-hardening']['auditd']['tcp_client_max_idle'], + enable_krb5: node['os-hardening']['auditd']['enable_krb5'], + krb5_principal: node['os-hardening']['auditd']['krb5_principal'] ) notifies :restart, 'service[auditd]' action :create diff --git a/templates/default/auditd.conf.erb b/templates/default/auditd.conf.erb index cbc0f16..49289f0 100644 --- a/templates/default/auditd.conf.erb +++ b/templates/default/auditd.conf.erb @@ -5,17 +5,17 @@ #-- # Specified by linux-baseline -log_file = /var/log/audit/audit.log -log_format = RAW +log_file = <%= @log_file %> +log_format = <%= @log_format %> flush = <%= @flush %> -max_log_file_action = keep_logs -space_left = 75 -action_mail_acct = root -space_left_action = SYSLOG -admin_space_left = 50 -admin_space_left_action = SUSPEND -disk_full_action = SUSPEND -disk_error_action = SUSPEND +max_log_file_action = <%= @max_log_file_action %> +space_left = <%= @space_left %> +action_mail_acct = <%= @action_mail_acct %> +space_left_action = <%= @space_left_action %> +admin_space_left = <%= @admin_space_left %> +admin_space_left_action = <%= @admin_space_left_action %> +disk_full_action = <%= @disk_full_action %> +disk_error_action = <%= @disk_error_action %> # Unspecified, auditd defaults unless overwritten log_group = <%= @log_group %> From 5cfde01b5905c24974a9bd9135751ce402363fba Mon Sep 17 00:00:00 2001 From: Tim de Koning Date: Thu, 14 Dec 2023 18:38:49 +0100 Subject: [PATCH 4/5] Switch defaults back to what they were Default space_left_action was SYSLOG and admin_space_left_action was SUSPEND Signed-off-by: Tim de Koning --- attributes/default.rb | 4 ++-- templates/default/login.defs.erb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index d0e8c6b..6313df2 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -261,9 +261,9 @@ default['os-hardening']['auditd']['max_log_file_action'] = 'keep_logs' default['os-hardening']['auditd']['space_left'] = 75 default['os-hardening']['auditd']['action_mail_acct'] = 'root' -default['os-hardening']['auditd']['space_left_action'] = 'EMAIL' +default['os-hardening']['auditd']['space_left_action'] = 'SYSLOG' default['os-hardening']['auditd']['admin_space_left'] = 50 -default['os-hardening']['auditd']['admin_space_left_action'] = 'halt' +default['os-hardening']['auditd']['admin_space_left_action'] = 'SUSPEND' default['os-hardening']['auditd']['disk_full_action'] = 'SUSPEND' default['os-hardening']['auditd']['disk_error_action'] = 'SUSPEND' default['os-hardening']['auditd']['flush'] = 'INCREMENTAL' diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb index e294cf5..e51dd63 100644 --- a/templates/default/login.defs.erb +++ b/templates/default/login.defs.erb @@ -181,7 +181,7 @@ ENCRYPT_METHOD SHA512 # Obsoleted by PAM # ================ -# These options are now handled by PAM. Please edit the appropriate file in `/etc/pam.d/` to enable the equivelants of them. +# These options are now handled by PAM. Please edit the appropriate file in `/etc/pam.d/` to enable the equivalents of them. #MOTD_FILE #DIALUPS_CHECK_ENAB #LASTLOG_ENAB From a197f2ceff6640ce3f708f8150c4c4508e877136 Mon Sep 17 00:00:00 2001 From: Tim de Koning Date: Thu, 21 Dec 2023 09:41:12 +0100 Subject: [PATCH 5/5] Remove blank lines Signed-off-by: Tim de Koning --- attributes/default.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 6313df2..cc0b3b4 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -252,9 +252,6 @@ end # rubocop:enable Metrics/BlockLength - - - # auditd config default['os-hardening']['auditd']['log_file'] = '/var/log/audit/audit.log' default['os-hardening']['auditd']['log_format'] = 'RAW'