Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.3.4 on supermarket fails to configure /etc/audit/auditd.conf on redhat systems #57

Open
foobarbam opened this issue Feb 6, 2019 · 1 comment
Open

Version 2.3.4 on supermarket fails to configure /etc/audit/auditd.conf on redhat systems #57

foobarbam opened this issue Feb 6, 2019 · 1 comment

Comments

@foobarbam
Copy link

foobarbam commented Feb 6, 2019
edited
Loading

Cookbook version

2.3.4

Chef-client version

13.6.4

Platform Details

centos 7.4.1708

Scenario:

The changes detailed at 84c30ce#diff-3145628960d821e12b5cc7c0cb6d1b39 didn't make it into version 2.3.4 released on supermarket at https://supermarket.chef.io/cookbooks/auditd so berks caches version 2.3.4 of the cookbook from supermarket which doesn't have this fix.

Steps to Reproduce:

  1. Create wrapper cookbook
  2. add default['auditd']['ruleset'] = 'cis' to attributtes/default.rb
  3. add include_recipe 'auditd::conf to recipes/default.rb
  4. Add depends 'auditd', '~> 2.3.4' to metadata.rb
  5. run berks install
  6. configure .kitchen.yml to have a centos 7 VM
  7. run kitchen converge centos-7

Expected Result:

/etc/audit/auditd.conf is updated when running the auditd::confrecipe on centos/redhat instead of /etc/audit/cis.auditd.

Actual Result:

Does not configure /etc/audit/auditd.conf instead configuring /etc/audit/cis.auditd

Snippet detailing the errant configuration file path

       Recipe: auditd::conf
         * auditd_conf_file[cis.auditd] action create
           * template[/etc/audit/cis.auditd] action create
             - create new file /etc/audit/cis.auditd
             - update content in file /etc/audit/cis.auditd from none to 64477b
             --- /etc/audit/cis.auditd	2019-02-06 20:40:55.410125292 +0000

Reviewing the berkshelf cache:

[[email protected]]$ cat ~/.berkshelf/cookbooks/auditd-2.3.4/resources/conf_file.rb 
#
# Cookbook:: auditd
# Resource:: auditd_conf_file
#
# Copyright:: 2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

property :cookbook, String

action :create do
  extend AuditD::Helper

  template auditd_conffile(new_resource.name) do
    source "#{new_resource.name}.conf.erb"
    cookbook new_resource.cookbook if new_resource.cookbook
    notifies :reload, 'service[auditd]'
  end
end
@foobarbam
Copy link
Author

Seems auditd::default has the same issue with the service reload.

Recipe: auditd::default
  * service[auditd] action reload[2019-02-06T21:42:48+00:00] INFO: Processing service[auditd] action reload (auditd::default line 24)

    
    ================================================================================
    Error executing action `reload` on resource 'service[auditd]'
    ================================================================================
    
    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    Expected process to exit with [0], but received '3'
    ---- Begin output of /usr/bin/systemctl --system reload auditd ----
    STDOUT: 
    STDERR: Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.
    See system logs and 'systemctl status auditd.service' for details.
    ---- End output of /usr/bin/systemctl --system reload auditd ----
    Ran /usr/bin/systemctl --system reload auditd returned 3
    
    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/auditd/recipes/default.rb
    
     24: service 'auditd' do
     25:   restart_command '/usr/libexec/initscripts/legacy-actions/auditd/restart' if platform_family?('rhel') && node['init_package'] == 'systemd'
     26:   supports [:start, :stop, :restart, :reload, :status]
     27:   action :enable
     28: end

Looking in the berks cache, the default recipe doesn't have the reload command:

[[email protected]]$ cat ~/.berkshelf/cookbooks/auditd-2.3.4/recipes/default.rb 
#
# Cookbook:: auditd
# Recipe:: default
#
# Copyright:: 2012-2017, Heavy Water Operations, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

extend AuditD::Helper

package auditd_package_name_for(node['platform_family'])

service 'auditd' do
  restart_command '/usr/libexec/initscripts/legacy-actions/auditd/restart' if platform_family?('rhel') && node['init_package'] == 'systemd'
  supports [:start, :stop, :restart, :reload, :status]
  action :enable
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@foobarbam