Cookbook version

2.3.4

Chef-client version

15

Platform Details

Ubuntu 18.04.3 LTS

Scenario:

Trying to apply cis.rules on Ubuntu

Steps to Reproduce:

include_recipe 'auditd::default'

auditd_ruleset 'cis.rules' do
  cookbook 'mitre-ipac-auditd'
end

Expected Result:

I expected cis.rules to work on Ubuntu

Actual Result:

The rules loaded are a partial set of cis.rules. I suspect everyone using this cookbook on Ubuntu, with the included cis.rules, is NOT auditing what they think!

m26560@ipac-ub18-tplt:~$ sudo auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
m26560@ipac-ub18-tplt:~$

My assessment is that this is because the next rule is "-w /etc/sysconfig/network -p wa -k system-locale" and this quietly fails (and short-circuits all further rule loading!) because /etc/sysconfig/network does not exist on an Ubuntu disk. There are certainly other issues further down the file.

Instead of /etc/sysconfig/network, the Ubuntu rule should be -w /etc/network -p wa -k system-locale per the CIS Benchmark for Ubuntu 18. However, as mentioned in the original issue above, there are other EL-centric issues further down the file related to rules in this cookbook's wholly EL-centric templates/default/cis.rules