juju4 / ansible-auditd Goto Github PK
View Code? Open in Web Editor NEWsetup and configure linux auditd
License: BSD 2-Clause "Simplified" License
setup and configure linux auditd
License: BSD 2-Clause "Simplified" License
TASK [auditd : get rsyslog version] ***************************************************************************************************************************************************************************** fatal: [uhm01]: FAILED! => {"changed": false, "cmd": "rsyslogd -v | awk 'match($0, /rsyslogd\\s+([0-9.]+)/, a) { print a[1] }'", "delta": "0:00:00.002221", "end": "2020-06-05 11:02:56.666150", "msg": "non-zero return code", "rc": 2, "start": "2020-06-05 11:02:56.663929", "stderr": "awk: line 1: syntax error at or near ,", "stderr_lines": ["awk: line 1: syntax error at or near ,"], "stdout": "", "stdout_lines": []}
Running auditd version audit-2.8.5-4.el7.x86_64 on oracle uek kernel 4.14.35-1902.300.11.el7uek.x86_64
When I setauditd_log_all_socket: true
in defaults/main.yml, all of the rules are placed into /etc/audit/rules.d/90-extra.rules
as expected, but they are all commented out.
If I uncomment the rules and manually attempt to load them I get an error.
[root@localhost rules.d]# auditctl -a exit,always -F arch=b32 -a0=2 -F a1=1 -S socket -k socket_call_ipv4_tcp
Multiple rule insert/delete operations are not allowed
I'm not an expert on audit rules, but I think the rule itself may be written wrong. I know the error is with -a0=2
because when I remove it the rule is accepted without comment. It looks like you are attempting to select some fields to go into the log? Sould the entry be -F a0=2
instead? When I change the rule this way, it is accepted by auditd.
ansible is throwing the following error when executed on ubuntu 18.04 targets with python3:
failed: [omitted] (item=05-exclusions) => {"changed": false, "item": "05-exclusions", "msg": "AnsibleError: Unexpected templating type error occurred on ({{ ansible_managed | comment }}\n# Exclusions\n{% for r in auditd_exclusion_rules %}\n{{ r }}\n{% endfor %}\n{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version >= 16) or (ansible_os_family == \"RedHat\" and ansible_distribution_major_version >= '7') %}\n{% for r in auditd_exclusion_rules2 %}\n{{ r }}\n{% endfor %}\n{% endif %}\n\n): '>=' not supported between instances of 'AnsibleUnsafeText' and 'int'"}
I'm assuming it's this report: ansible/ansible#50388 where the answer is to fix the code, not compare strings with ints.
ansible-playbook -vvv playbook.yml
. Redact any sensitive information.# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Audit Configuration should pushed into the right directory which is used bei auditd.
Because of Ubuntu 20.04 (and not 22.x) you fixed the variable of auditd path to /etc/audisp. But on my systems it looks that auditctl 2.8.5 uses already /etc/auditd
Ansible task:
- name: Install Role auditd from juju4 galaxy
ansible.builtin.include_role:
name: juju4.auditd
vars:
auditd_laurel_enable: true
install_archives: /tmp
Perhaps it is better to register the variable after you installed the package in that way you can dynamically check where the audit configuration folder is.
No response
No response
Hi,
I need to manage AWS EC2 machines.
So please add amazon linux 2 OS in supported list.
Thanks,
The task [auditd : setup rsyslog to send audisp logs to a specific target]
is failing with AnsibleFilterError: Version comparison: LooseVersion instance has no attribute 'version'
I have no idea what it means and I'm wondering why would it fail there as it is just a template call...
host:
python2.7.17
ansible 2.5.1
host-target:
debian 10
If you have an idea on what to look for to understand the error I would be very grateful.
ansible-playbook -vvv doesn't give interesting informaton just SSH EXEC some tmp file where it uploaded the script to be ran
If LVM isnt installed on a machine this rule will break augenrules --load due to missing /var/lock/lvm.
Process: 26020 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
augenrules[26020]: Error sending add rule data request (No such file or directory)
augenrules[26020]: There was an error in line 12 of /etc/audit/audit.rules
ansible-auditd/defaults/main.yml
Line 51 in 377b69c
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.