New Package Request: audit

[c4rt0]

What, if any, are the additional dependencies on the package? (i.e. does it pull in Python, Perl, etc)

[root@cosa-devsh ~]# rpm-ostree install --dry-run audit
...
Installing 2 packages:
  audit-3.0.9-1.fc37.x86_64 (fedora)
  initscripts-service-10.17-1.fc37.noarch (fedora)

What is the size of the package and its dependencies?

$ rpm -qi audit

Name        : audit
Version     : 3.0.9
Release     : 1.fc37
Architecture: x86_64
Install Date: Sat 05 Nov 2022 09:00:50
Group       : Unspecified
Size        : 684113
License     : GPLv2+
Signature   : RSA/SHA256, Tue 30 Aug 2022 00:18:08, Key ID f55ad3fb5323552a
Source RPM  : audit-3.0.9-1.fc37.src.rpm
Build Date  : Mon 29 Aug 2022 23:06:47
Build Host  : buildvm-x86-26.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://people.redhat.com/sgrubb/audit/
Bug URL     : https://bugz.fedoraproject.org/audit
Summary     : User space tools for kernel auditing

$  rpm -qi initscripts-service                                                                                                                                                                  1 err  11:39:35 
Name        : initscripts-service
Version     : 10.17
Release     : 1.fc37
Architecture: noarch
Install Date: Sat 05 Nov 2022 08:43:04
Group       : Unspecified
Size        : 5832
License     : GPLv2
Signature   : RSA/SHA256, Wed 24 Aug 2022 09:18:04, Key ID f55ad3fb5323552a
Source RPM  : initscripts-10.17-1.fc37.src.rpm
Build Date  : Wed 24 Aug 2022 09:13:16
Build Host  : buildvm-x86-14.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/fedora-sysv/initscripts
Bug URL     : https://bugz.fedoraproject.org/initscripts
Summary     : Support for service command

What problem are you trying to solve with this package? Or what functionality does the package provide?

The audit package contains the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 and later kernels.

Can the software provided by the package be run from a container? Explain why or why not.

Yes, in theory, but it's likely not supported and will probably not work well with host filesystem rules.

Can the tool(s) provided by the package be helpful in debugging container runtime issues?

No

Can the tool(s) provided by the package be helpful in debugging networking issues?

No

Is it possible to layer the package onto the base OS as a day 2 operation? Explain why or why not.

Yes

In the case of packages providing services and binaries, can the packaging be adjusted to just deliver binaries?

TODO: Fill in bugs tracking that from previous issue

Can the tool(s) provided by the package be used to do things we’d rather users not be able to do in FCOS?

N/A

Does the software provided by the package have a history of CVEs?

No

?? https://www.cvedetails.com/product/13730/Linux-Audit.html?vendor_id=33

[travier]

For the first question we need the output of Paste here the output of rpm-ostree install --dry-run <package> from a fresh Fedora CoreOS node. (see issue template text).

[travier]

Same for the second question, check the issue template text

[travier]

See also #461

[c4rt0]

Updated comment regarding rpm-ostree output in the first question.

[travier]

For the second question, you should to give us the info for each package listed in the answer to the first question.

[travier]

Next steps (can be done in parallel):

• Make a PR adding audit to fedora-coreos-config
• Make a PR for https://bugzilla.redhat.com/show_bug.cgi?id=1827263 WONTFIX

[c4rt0]

Updated comment referring to size of the initscripts package

[travier]

Hum, we need the info for the initscripts-service package, not the initscripts one 🙂.

[c4rt0]

Of course - updated 😶‍🌫️

[jlebon]

IMO, I don't think we should add initscripts-service to FCOS as is. It brings back /usr/sbin/service which is a legacy API. We discussed in the meeting maybe doing something in postprocessing as a last resort, but ideally we come to an agreement at the packaging level to e.g. lower it to a weak dep maybe and shipping auditd-{condrestart,reload,restart,resume,rotate,state,stop} scripts instead (those are the supported service actions that rely on direct signaling).

[travier]

Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1827263 and the auditd.service unit again (https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.service), it's not clear to me that we should remove either auditctl or augenrules.

[travier]

Context for service binary removal:

• https://bugzilla.redhat.com/show_bug.cgi?id=1768815

[travier]

The audit package already includes the following scripts (https://github.com/linux-audit/audit-userspace/tree/master/init.d):

$ rpm -ql audit-3.0.9-1.fc37.x86_64 | grep legacy
/usr/libexec/initscripts/legacy-actions/auditd
/usr/libexec/initscripts/legacy-actions/auditd/condrestart
/usr/libexec/initscripts/legacy-actions/auditd/reload
/usr/libexec/initscripts/legacy-actions/auditd/restart
/usr/libexec/initscripts/legacy-actions/auditd/resume
/usr/libexec/initscripts/legacy-actions/auditd/rotate
/usr/libexec/initscripts/legacy-actions/auditd/state
/usr/libexec/initscripts/legacy-actions/auditd/stop

[travier]

• Option A: The short option is thus just to remove the service binary and man page in a post-script.
• Option B: The long option is to rewrite those as a proper standalone script that is not correlated to the service binary.
• Option C: Another option is to move the service binary somewhere else and include a wrapper script that only accepts auditd as an option for calls to service auditd <stop|restart|...> and rejects everything else.

[travier]

Flagging for meeting discussion but I won't be here this week so maybe next week.

[c4rt0]

Since I was on a course last week, I wonder if there were any debate related to this topic?

[travier]

Not yet. There will likely be this week.

[travier]

You can check the meeting logs (see the README in this repo) for each meeting.

[travier]

Links to existing docs about the service interface for audit:

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-starting_the_audit_service
• https://access.redhat.com/solutions/2664811

[travier]

Past discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1768815

[travier]

We'll have to reach out to the audit maintainers to see which path they would prefer to ideally implement option B.

[travier]

Note for when we enable next-devel: we'll have to confirm that initscripts-service is not pulled-in.

[jlebon]

Note for when we enable next-devel: we 'll have to confirm that initscripts-service is not pulled-in.

Opened coreos/fedora-coreos-config#2591 which will guarantee this. :)

[dustymabe]

The fix for this went into next stream release 39.20230916.1.1. Please try out the new release and report issues.

[dustymabe]

The fix for this went into testing stream release 39.20231101.2.0. Please try out the new release and report issues.

[dustymabe]

The fix for this went into stable stream release 39.20231101.3.0.