Job for auditd.service invalid

[fernando-eickhoff]

Description

I updated my ansible collection to use the latest release 9.0.0 expecting a common issue I was having in my playbooks to have being solved, but after the upgrade the issue persist.

Reproduction steps

Use the following collection version:

- name: devsec.hardening
  version: 9.0.0

Declare the usage of the role with the following arguments:

- role: devsec.hardening.os_hardening
  vars:
      os_auditd_max_log_file_action: ignore
      os_auditd_max_log_file: 0
      os_auditd_num_logs: 2
      sysctl_overwrite:
      net.ipv4.ip_forward: 0

Current Behavior

I am receiving the following error:

amazon-ebs.vault: RUNNING HANDLER [devsec.hardening.os_hardening : Restart auditd] ***************
amazon-ebs.vault: fatal: [default]: FAILED! => {"changed": true, "cmd": ["service", "auditd", "restart"], "delta": "0:00:02.402959", "end": "2023-11-16 21:01:19.219623", "msg": "non-zero return code", "rc": 1, "start": "2023-11-16 21:01:16.816664", "stderr": "Job for auditd.service invalid.", "stderr_lines": ["Job for auditd.service invalid."], "stdout": "Stopping logging: [  OK  ]\r\nRedirecting start to /bin/systemctl start auditd.service", "stdout_lines": ["Stopping logging: [  OK  ]", "Redirecting start to /bin/systemctl start auditd.service"]}

Expected Behavior

A success in the devsec.hardening.os_hardening role execution

OS / Environment

I'm running ansible inside an aws ebs host provisioned by packer https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs

Ansible Version

latest from apt-get install -y ansible

Collection Version

- name: devsec.hardening
  version: 9.0.0

[schurzi]

Thanks for reporting tihs, we were not aware of additional issues with audit. The only issues currently known to us are #533 and #660

This seems like a new problem. Can you provide additional logs to gather some more infos? Output from syslog/journal would be great.

[deimi]

I have the same issue, but with a different kind of host. The host I want to set up with ansible is Debian running in a lxc container.
It seems that auditd is not seamlessly running inside containers. So at the moment you need to run the container with special privileges or don't use auditd inside a container. https://discuss.linuxcontainers.org/t/lxd-container-auditd-fails-to-install/4320

Just writing this, in case anyone else is having the same issue and searching for a solution. Don't know if this was actually the same root cause as @fernandoeickhoff-lk had.

I guess this issue #191 is related, but there is no detailed error description, so its harder to find.

[schurzi]

Yes, audit is not fully compatible with container environments. This seems like a general problem and the suggestion that I am able to find is, to only run auditing on the host linux and not in the containers.

Maybe it's best if we skip all audit tasks when we detect a container environment like docker or lxc/lxd. Opinions on this @rndmh3ro?

[schurzi]

Things seems more complicated. Additional Information:
https://bugzilla.redhat.com/show_bug.cgi?id=893751
linux-audit/audit-kernel#32