Potential error in section 4 about ubuntu1604-cis HOT 7 CLOSED

Hmm - hold on a sec. When I look at that folder on a running Ubuntu 16.04 instances, I see the following:

support@xxx-i04f2fe3931285439b:~$ sudo ls -la /etc/audit/rules.d
total 20
drwxr-x--- 2 root root 4096 Feb 15 13:58 .
drwxr-x--- 3 root root 4096 Feb 15 14:00 ..
-rw-r--r-- 1 root root 8454 Feb 15 13:58 osas-auditd-rhel7.rules

So, it looks like the /etc/audit/rules.d/audit.rules folder doesn't exist. Does it need to be created, or should we use the osas-auditd-rhel7.rules file?

from ubuntu1604-cis.

Hmmm - a little bit curious. When I start a vanilla Ubuntu 16.04 and install auditd, I see the following:

root@ip:/etc/audit# ls -lR *
-rw-r----- 1 root root  701 Jan 18  2016 auditd.conf
-rw-r----- 1 root root  373 Jan 18  2016 audit.rules

rules.d:
total 4
-rw-r----- 1 root root 373 Jan 18  2016 audit.rules

There is /etc/audit/audit.rules as well as /etc/audit/rules.d/audit.rules

from ubuntu1604-cis.

I will check the duplicate code and fix it.

from ubuntu1604-cis.

Why do you need to create audit.rules in the Dockerfile?

from ubuntu1604-cis.

duplicate code is fixed.
The Dockerfile was for testing with travis. But they did some changes and it does not work anymore.
I will switch to molecule for automatic ansible role testing with the next version.

from ubuntu1604-cis.

All audit rules are generated correctly in /etc/audit/audit.rules by the role in my test environment.
It looks like you use a second role which creates osas-auditd-rhel7.rules
Please let me know if there are other problems with the original topic. Otherwise I would like to close the issue.

from ubuntu1604-cis.

Youre right; I ran two roles to harden the OS, which created the other audit file. Thanks for all your hard work!

from ubuntu1604-cis.