including audit in Fedora CoreOS

[dustymabe]

We have been discussing whether or not to include the audit rpm (includes the audit daemon) in Fedora CoreOS. The discussion started over in #220 and we also discussed it in the the community meeting today.

There are some changes upstream that we'd like to track/discuss that include:

• removing the dependency on initscripts; some context in
  • https://src.fedoraproject.org/rpms/audit/pull-request/5 and https://src.fedoraproject.org/rpms/audit/pull-request/6
  • https://bugzilla.redhat.com/show_bug.cgi?id=1768815
• package splitting
  • https://bugzilla.redhat.com/show_bug.cgi?id=1827263
• complex configuration (overriding/overlaying/merging)
  • [RFE] rules.d: please support overlaying and merging rules from /usr, /run, and /etc linux-audit/audit-userspace#111

What others exist?

Also if you are a user and need the audit tools, please speak up so we can get a feeling for how much need there is.

[egeturgay]

+1 for auditctl and augenrules (not full blown auditd) , we currently use (on CoreOS) for enabling auditd's file integrity management feature by adding rules where it's a requirement from a PCI compliance perspective.

additional rules land into /etc/audit/rules.d on CoreOS with configs such as
-w /etc -p wa -k file_integrity
and a systemd unit is provided for restarting auditd upon config change named audit-rules

[lucab]

I've followed up and reported https://bugzilla.redhat.com/show_bug.cgi?id=1827263 wrt. package splitting, which should tackle @egeturgay case above.

[dustymabe]

We discussed this in the last weekly meeting.

  * AGREED: we work with upstream to remove initscripts and to support
    complex configuration split, we don't block on complex configuration
    split. TBD is if we will not wait on the initscripts removal and
    forcibly remove it ourselves.  (dustymabe, 17:38:46)

Next steps here would be to reach out to upstream to try to solve the specific problem related to the initscripts dependency. It is my understanding that audit providing its own utility to do the same thing service is doing should suffice.

[egeturgay]

+1 for auditctl and augenrules (not full blown auditd) , we currently use (on CoreOS) for enabling auditd's file integrity management feature by adding rules where it's a requirement from a PCI compliance perspective.

additional rules land into /etc/audit/rules.d on CoreOS with configs such as
-w /etc -p wa -k file_integrity
and a systemd unit is provided for restarting auditd upon config change named audit-rules

For those who need this capability until FCOS includes auditctl and augen-rules, a slightly hacky solution is

• copy auditctl (binary - checked with ldd for lib deps and it looks fine) and augen-rules (shell script) from fedora31 docker image to a a remote storage (i.e. s3), modify augen-rules to call auditctl from a known path (/opt/bin)
• download them into /opt/bin via ignition or a systemd unit
• create a one shot systemd unit to generate and load the rules

[wernerb]

For anyone visiting, I can recommend using auditbeat from elastic. It works with a single binary and ships off the audit log and is capable of loading audit rules as well.

[gtema]

is there any update for the native auditd?

[travier]

See also: https://src.fedoraproject.org/rpms/setroubleshoot/pull-request/29.
Pre-requisite for most of that to happen is to work on https://bugzilla.redhat.com/show_bug.cgi?id=1768815#c11

[dan1el-k]

Any updates on the native auditd? What I can see is, that the dependent issue(https://bugzilla.redhat.com/show_bug.cgi?id=1768815#c11) wasn't touched since 1 1/2 year.

Are there any alternatives available meanwhile, which can make use of the auditd.rules ?

We are relying on FCOS for our OKD clusters in our company, where we are requiring auditd or alternatives for providing logs to a siem system. and with okd, rpm-ostree install is also not an option.

So we would appreciate any implementation in this direction.

[travier]

https://bugzilla.redhat.com/show_bug.cgi?id=1768815 is done so we should revisit this one.

Maybe we should make a classic "new package" request to streamline things?

[travier]

We might still need https://bugzilla.redhat.com/show_bug.cgi?id=1827263 but that should be easier.

[dustymabe]

We discussed this at the community meeting today.

12:03:36   dustymabe | #info we think we're in a better position to include auditd in
                     | FCOS now, though there is still some work remaining. travier
                     | will enumerate the remaining work and look to find volunteers.

[travier]

Closing this one now as the work and discussion is tracked in #1362