Manage auditd using service instead of exec #40
Conversation
amlodzianowski
changed the title
|
sounds reasonable. also, good call on the will take a look through and get this merged in soon. |
disable auditd using the service resource instead of execs set provider on rhel7 to disable auditd added comments for auditd provider case linting fixes to pass travis ci disable auditd using the service resource instead of execs
|
oh, i remember why that exists. we're not explicitly managing |
|
@rockpapergoat If someone manages auditd in an outside module, all they need to do is declare the ::threatstack class with |
|
true, true. i need to push some changes to docs related to our last release and will get these changes in. looking at it now. |
|
@amlodzianowski i just merged in a better way to deal with this and will release 2.0.7 on the forge shortly. will close this PR for now, but let us know what you think of the changes. thanks again for sending us these edits! |
|
Looks good! And great idea with using the auditd module to control the service, no need to manage providers here. Once 2.0.7 is released we will run a test on our side to make sure all issues are gone. Thanks! |
|
cool, yeah… let us know. what i found in quick tests on centos was that the auditd systemd unit file prevents manually stopping/starting the service once it's up, so using the auditd module to wave a magic wand at the problem was easier in this case. it should be relatively safe to assume the module will know what to do on supported OSes here. if it doesn't, we'll fire up a PR for that module. |
|
I think we might see issues with Amazon Linux 201X / 2.0 according to what's here: But we'll run a test and confirm |
|
@rockpapergoat as expected, it is failing on our Amazon Linux 2 instances: Looks like this condition needs to be modified: Using the legacy-action script, everything works fine: Let me know if you'd like me to submit the PR or if you want to take care of it. The other systems we tested are looking good, progress! |
|
@amlodzianowski interesting. thanks for the update. would you mind submitting the PR? i can probably tag team the problem with you but am in the middle of something at the moment. so the issue is on amazon linux 2 but not amazon linux 1? |
|
Sure thing, I'll submit the PR a little later today. And yes, Amazon Linux works 1 works but 2 is failing. For Amazon Linux 2 they finally switched to systemd which we just need to catch in the statement |
|
I'm not sure if that module is still maintained since the last release happened in December 2016 and there are 8 different pull requests that were never reviewed. Let me know how you would like to proceed in case this is not merged in in a timely matter |
We were running into the following issue on Amazon Linux 2 systems if Puppet was being invoked via cron:
/Stage[main]/Threatstack::Package/Exec[stop_auditd] Could not evaluate: invalid byte sequence in US-ASCIILooking at the way auditd was managed was very inefficient on RedHat based systems - the execs would be executed on every single Puppet run. This seemed like a clear case to use the Puppet service provider.
There is a small caveat on RedHat 7+ systems - systemd can't be used to start/stop auditd. Details are available here:
https://access.redhat.com/solutions/2664811