Closed
Bug 926466
Opened 11 years ago
Closed 10 years ago
Add and enable auditd on puppetagain-hosted linux systems
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Infrastructure & Operations
RelOps: Puppet
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
(Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/377] )
Attachments
(1 file)
|
16.04 KB,
patch
|
Callek
:
review+
dustin
:
checked-in+
|
Details | Diff | Splinter Review |
I'll need some help from opsec on how to do this without killing the hosts or changing performance characteristics. Auditd seems to be buggy and heavyweight, so I'm worried..
|
Assignee | |
Comment 1•10 years ago
|
||
Michael, do you have any particular guidance here? I don't want to re-invent the wheel, if I don't have to.
|
|
Assignee | |
Comment 2•10 years ago
|
||
:ulfr, is this something we need to do, or can we just use mig?
|
|
Assignee | |
Updated•10 years ago
|
Whiteboard: [time=10:00]
|
||
Comment 3•10 years ago
|
||
MIG is for investigations. Auditd for monitoring. MIG does not monitor security events at all. So the only way to keep track of security events on systems is through auditd and logs centralization. :kang is our local auditd expert.
The current doc is at: https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=26416895
See also configuration in https://github.com/gdestuynder/audisp-json
|
|
||
Comment 6•10 years ago
|
||
Met today with :dustin and :kang. Notes: * Documentation is at https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=26416895 * First target is servers. test/build machines should not be in the initial scope. * Auditd rules can be ramped up to slowly increase the load while we test. * Mozdef receives auditd events. CEF events route through syslog. JSON events HTTP POST directly to Mozdef's API endpoint. action items: * provide RPM/DEB packages for 32/64bits (:kang) * create custom repos and auditd module in puppetagain * short term use auditd-cef to log to local syslog
|
|
Assignee | |
Comment 7•10 years ago
|
||
We'd probably start with this on servers and see how it goes. Deploying it on test machines would come later -- there are the usual concerns with memory (messages are cached to a configurable level) and CPU usage.
For the moment, this is Linux-only (Ubuntu and CentOS). OS X can do auditd, but that's not planned yet.
It doesn't look like we'd have a lot of trouble with kernel versions - the LKM should work with all of the versions we have.
On Ubuntu, there are different versions of libaudit, so we'd need to install a different compiled version of auditd for each Ubuntu dist.
We'll eventually need 32-bit packages, although all of our servers are 64-bit, so that's a place to start. These would be deployed in custom apt and yum repos on the puppet masters, and then installed via a puppet package. The audisp-{cef,json} packages are easy to build with a make command (via fpm). auditd itself is in the upstream centos/ubuntu repos.
Shipping logs to mozdef: infra does this via the syslog servers (in CEF). We could also ship logs directly to mozdef (via https with JSON). We'll want to figure out how much data we'd be slinging around before turning it on (and can test this in relabs). We can start by sending to the infra syslog servers and go from there.|
|
Assignee | |
Comment 8•10 years ago
|
||
We're going to consider the audisp-{cef,json} packages to be upstream from puppetagain, so we won't have a .spec in the puppet manifests -- just like for mig-agent.
So once I have those packages, I'll get started deploying this in relabs, then on production servers.|
|
Assignee | |
Comment 9•10 years ago
|
||
Apparently the packages are all in mrepo. Silly me :)
|
|
Assignee | |
Comment 10•10 years ago
|
||
Note to self: we need to enable a nagios check to make sure auditd is running, too.
If necessary, we also have centos7 packages now :) I can make more if needed, otherwise: make rpm / make dev automagically make them with fpm.
|
|
Assignee | |
Comment 12•10 years ago
|
||
This will need to partner with the log aggregation work for it to do anything useful (as it is, the logs just go to the local syslog). We don't have any Ubuntu servers, so I haven't added Ubuntu support yet, but when we cover slaves we'll need to add that.
Attachment #8501329 -
Flags: review?(bugspam.Callek)
|
|
Assignee | |
Updated•10 years ago
|
Whiteboard: [time=10:00]
|
||
Comment 13•10 years ago
|
||
Comment on attachment 8501329 [details] [diff] [review] bug926466-centos.patch Review of attachment 8501329 [details] [diff] [review]: ----------------------------------------------------------------- I may not get to this review until early next week, if its needed sooner, please redirect or discuss with me
|
||
Comment 14•10 years ago
|
||
A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/80405248
|
|
||
Updated•10 years ago
|
Whiteboard: [kanban:engops:https://kanbanize.com/ctrl_board/6/377]
|
|
Assignee | |
Comment 15•10 years ago
|
||
> I may not get to this review until early next week, if its needed sooner, please redirect > or discuss with me
...3 weeks later...|
|
||
Comment 16•10 years ago
|
||
Comment on attachment 8501329 [details] [diff] [review] bug926466-centos.patch Review of attachment 8501329 [details] [diff] [review]: ----------------------------------------------------------------- ick sorry this sat for so long
Attachment #8501329 -
Flags: review?(bugspam.Callek) → review+
|
|
Assignee | |
Comment 17•10 years ago
|
||
Oops -- this typo breaks the dependencies: diff --git a/modules/auditd/manifests/init.pp b/modules/auditd/manifests/init.pp index c29da4b..b4a0967 100644 --- a/modules/auditd/manifests/init.pp +++ b/modules/auditd/manifests/init.pp @@ -1,16 +1,16 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. class auditd($host_type) { include packages::auditd include packages::audisp_cef - $pacakges = [ + $packages = [ Class['packages::auditd'], Class['packages::audispd_cef'], ] # filter legitimate host types; these are used by the # rules template to decide how to configure the host case $host_type { 'slave': { }
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 18•10 years ago
|
||
Comment on attachment 8501329 [details] [diff] [review] bug926466-centos.patch http://hg.mozilla.org/build/puppet/rev/8f193d103625
Attachment #8501329 -
Flags: checked-in+
|
|
Assignee | |
Comment 19•10 years ago
|
||
bustage fix in comment 17: http://hg.mozilla.org/build/puppet/rev/56740aafb27b and another bustage fix: https://hg.mozilla.org/build/puppet/rev/a0257ecc6548 (both typos, the first making the second visible)
|
||
Updated•10 years ago
|
Whiteboard: [kanban:engops:https://kanbanize.com/ctrl_board/6/377] → [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/377]
|
||
Comment 20•10 years ago
|
||
This adds a lot of lines to /var/log/messages, when perhaps it's of most use to opsec through their systems. Do we have the option of supressing it in /var/log/messages ?
You need to log in
before you can comment on or make changes to this bug.
Description
•