Git Product home page Git Product logo

Comments (6)

konstruktoid avatar konstruktoid commented on June 15, 2024

Hi @AdrianPop, this is expected behavior when auditd_apply_audit_rules: true, https://github.com/konstruktoid/ansible-role-hardening/blob/master/defaults/main/auditd.yml#L2C1-L2C31

from ansible-role-hardening.

AdrianPop avatar AdrianPop commented on June 15, 2024

@konstruktoid yes, indeed. I've read the config files and figured that out in the end.

But which rule from here https://github.com/konstruktoid/ansible-role-hardening/blob/master/templates/etc/audit/rules.d/hardening.rules.j2 produces the output from above for docker?

One of them seems this -w /tmp -p wxa -k tmp, but I cannot identify the other one for docker.

from ansible-role-hardening.

AdrianPop avatar AdrianPop commented on June 15, 2024

Also, these rules are not working as expected imho

auditd_max_log_file: 8
auditd_max_log_file_action: keep_logs
auditd_num_logs: 5

According to auditd docs, when max_log_file_action is set to keep_logs it ignores the num_logs.

I've managed to make it work by changing: max_log_file_action = rotate

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 15, 2024

Also, these rules are not working as expected imho

auditd_max_log_file: 8
auditd_max_log_file_action: keep_logs
auditd_num_logs: 5

According to auditd docs, when max_log_file_action is set to keep_logs it ignores the num_logs.

I've managed to make it work by changing: max_log_file_action = rotate

Nice catch, I'll update this settings later today. auditd_max_log_file can most likely be increased as well.

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 15, 2024

@konstruktoid yes, indeed. I've read the config files and figured that out in the end.

But which rule from here https://github.com/konstruktoid/ansible-role-hardening/blob/master/templates/etc/audit/rules.d/hardening.rules.j2 produces the output from above for docker?

One of them seems this -w /tmp -p wxa -k tmp, but I cannot identify the other one for docker.

I believe a couple of log entries are missing from your post, but please try aureport --key docker, aureport -t or aureport -x.

from ansible-role-hardening.

AdrianPop avatar AdrianPop commented on June 15, 2024

I've copied only a few logs, as you can see, all of them have the same logging second: :58

from ansible-role-hardening.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.