CIS rules silently partial fail to be activated on Ubuntu
jblaine opened this issue · comments
Cookbook version
2.3.4
Chef-client version
15
Platform Details
Ubuntu 18.04.3 LTS
Scenario:
Trying to apply cis.rules on Ubuntu
Steps to Reproduce:
include_recipe 'auditd::default'
auditd_ruleset 'cis.rules' do
cookbook 'mitre-ipac-auditd'
end
Expected Result:
I expected cis.rules to work on Ubuntu
Actual Result:
The rules loaded are a partial set of cis.rules. I suspect everyone using this cookbook on Ubuntu, with the included cis.rules, is NOT auditing what they think!
m26560@ipac-ub18-tplt:~$ sudo auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
m26560@ipac-ub18-tplt:~$
My assessment is that this is because the next rule is "-w /etc/sysconfig/network -p wa -k system-locale" and this quietly fails (and short-circuits all further rule loading!) because /etc/sysconfig/network
does not exist on an Ubuntu disk. There are certainly other issues further down the file.
Instead of /etc/sysconfig/network
, the Ubuntu rule should be -w /etc/network -p wa -k system-locale
per the CIS Benchmark for Ubuntu 18. However, as mentioned in the original issue above, there are other EL-centric issues further down the file related to rules in this cookbook's wholly EL-centric templates/default/cis.rules