juju4 / ansible-auditd Goto Github PK

Running auditd version audit-2.8.5-4.el7.x86_64 on oracle uek kernel 4.14.35-1902.300.11.el7uek.x86_64

When I setauditd_log_all_socket: true in defaults/main.yml, all of the rules are placed into /etc/audit/rules.d/90-extra.rules as expected, but they are all commented out.

If I uncomment the rules and manually attempt to load them I get an error.
[root@localhost rules.d]# auditctl -a exit,always -F arch=b32 -a0=2 -F a1=1 -S socket -k socket_call_ipv4_tcp
Multiple rule insert/delete operations are not allowed

I'm not an expert on audit rules, but I think the rule itself may be written wrong. I know the error is with -a0=2 because when I remove it the rule is accepted without comment. It looks like you are attempting to select some fields to go into the log? Sould the entry be -F a0=2 instead? When I change the rule this way, it is accepted by auditd.

Prerequisites

• Ensure no duplicate issue
• Using an up-to-date latest release or tag
• Tested an up-to-date latest HEAD
• Collected play logs on verbose mode aka ansible-playbook -vvv playbook.yml. Redact any sensitive information.
• Ensuring using latest stable underlying software (ansible, operating systems...)

Your Environment

• Version used: -
• Server type and version: Azure VM
• Operating System and version: Ubuntu 20.04
• Link to your project: -

# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Expected behavior

Audit Configuration should pushed into the right directory which is used bei auditd.

Actual behavior

Because of Ubuntu 20.04 (and not 22.x) you fixed the variable of auditd path to /etc/audisp. But on my systems it looks that auditctl 2.8.5 uses already /etc/auditd

Steps to reproduce

Ansible task:

- name: Install Role auditd from juju4 galaxy
  ansible.builtin.include_role:
    name: juju4.auditd
  vars:
    auditd_laurel_enable: true
    install_archives: /tmp

Possible Solution (Not obligatory)

Perhaps it is better to register the variable after you installed the package in that way you can dynamically check where the audit configuration folder is.

More context

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Hi,

I need to manage AWS EC2 machines.
So please add amazon linux 2 OS in supported list.

Thanks,

If LVM isnt installed on a machine this rule will break augenrules --load due to missing /var/lock/lvm.

Process: 26020 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)

augenrules[26020]: Error sending add rule data request (No such file or directory)
augenrules[26020]: There was an error in line 12 of /etc/audit/audit.rules

The task [auditd : setup rsyslog to send audisp logs to a specific target] is failing with AnsibleFilterError: Version comparison: LooseVersion instance has no attribute 'version'

I have no idea what it means and I'm wondering why would it fail there as it is just a template call...

host:

python2.7.17
ansible 2.5.1

host-target:
debian 10

If you have an idea on what to look for to understand the error I would be very grateful.
ansible-playbook -vvv doesn't give interesting informaton just SSH EXEC some tmp file where it uploaded the script to be ran

TASK [auditd : get rsyslog version] ***************************************************************************************************************************************************************************** fatal: [uhm01]: FAILED! => {"changed": false, "cmd": "rsyslogd -v | awk 'match($0, /rsyslogd\\s+([0-9.]+)/, a) { print a[1] }'", "delta": "0:00:00.002221", "end": "2020-06-05 11:02:56.666150", "msg": "non-zero return code", "rc": 2, "start": "2020-06-05 11:02:56.663929", "stderr": "awk: line 1: syntax error at or near ,", "stderr_lines": ["awk: line 1: syntax error at or near ,"], "stdout": "", "stdout_lines": []}

ansible is throwing the following error when executed on ubuntu 18.04 targets with python3:

failed: [omitted] (item=05-exclusions) => {"changed": false, "item": "05-exclusions", "msg": "AnsibleError: Unexpected templating type error occurred on ({{ ansible_managed | comment }}\n# Exclusions\n{% for r in auditd_exclusion_rules %}\n{{ r }}\n{% endfor %}\n{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version >= 16) or (ansible_os_family == \"RedHat\" and ansible_distribution_major_version >= '7') %}\n{% for r in auditd_exclusion_rules2 %}\n{{ r }}\n{% endfor %}\n{% endif %}\n\n): '>=' not supported between instances of 'AnsibleUnsafeText' and 'int'"}

I'm assuming it's this report: ansible/ansible#50388 where the answer is to fix the code, not compare strings with ints.