Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-auditd', '8.2.1'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Overview
This module manages the Audit daemon, kernel parameters, and related subsystems.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems will be disabled by
default and must be explicitly opted into by administrators. Please review
simp_options
for details.
Module Description
You can use this module for the management of all components of auditd including configuration, service management, kernel parameters, and custom rule sets.
By default, a rule set is provided that should meet a reasonable set of operational goals for most environments.
The audit
kernel parameter may optionally be managed independently of the
rest of the module using the ::auditd::config::grub
class.
Setup
Setup Requirements
If auditd::syslog
is true
, you will need to install
simp/rsyslog as a dependency.
What Auditd Affects
- The
audit
kernel parameter- NOTE: This will be applied to all kernels in your standard grub configuration
- The auditd service
- The audid configuration in /etc/auditd.conf
- The auditd rules in /etc/audit/rules.d
- The audispd configuration in /etc/audisp/audispd.conf
- The audispd
syslog
configuration in /etc/audisp/plugins.d/syslog.conf
Usage
Basic Usage
# Set up auditd with the default settings
# A message will be printed indicating that you need to reboot for this option
# to take full effect at each Puppet run until you reboot your system.
include '::auditd'
Disabling Auditd
To disable auditd at boot, set the following in hieradata:
auditd::at_boot : false
Changing Key Values
To override the default values included in the module, you can either include new values for the keys at the time that the classes are declared, or set the values in hieradata:
class { '::auditd':
ignore_failures => true,
log_group => 'root',
flush => 'INCREMENTAL'
}
auditd::ignore_failures: true
auditd::log_group: 'root'
auditd::flush: 'INCREMENTAL'
Limitations
SIMP Puppet modules are generally intended to be used on a Redhat Enterprise Linux-compatible distribution such as EL6 and EL7.
Development
Please read our Contribution Guide
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.BEAKER_fips=yes
: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.
Please refer to the SIMP Beaker Helpers documentation for more information.
- Wed Apr 10 2019 Joseph Sharkey shark.bruhaha@gmail.com - 8.2.1-0
- Ensure that space_left is always larger than admin_space_left
- Updated tests in support of puppet6, and removed puppet4 support
- Updated puppet template scope API from 3 to newer
- Sat Apr 06 2019 Jim Anderson thesemicolons@protonmail.com - 8.2.1-0
- config.pp now managed /etc/audit in addition to /etc/audit/rules.d. The permissions and ownership of the two directories should be the same. Both directories use purge and recurse.
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.2.1-0
- Use Puppet Integer in lieu of simplib's deprecated Puppet 3 to_integer
- Expanded the upper limit of the stdlib Puppet module version
- Updated a URL in the README.md
- Tue Jan 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0
- Allow users to optimize their audit processing by only collecting on specific SELinux types
- Fri Jan 11 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 8.2.0-0
- Add restorecon audit for STIG profile
- Fri Nov 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0
- Update to remove potentially redundant test code and use the updated simp-beaker-helpers
- Thu Nov 15 2018 Mark Leary leary.mark@gmail.com - 8.1.1-0
- Revert back to using the native service provider for the auditd service since puppet fixed the service handling.
- Wed Oct 31 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0
- Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog
module using
auditd::config::audisp::syslog::rsyslog = false
or, alternatively, settingsimp_options::syslog = false
. - Add a
write_logs
opttion to theauditd_class
and multiplex between thelog_format = NOLOG
setting andwrite_logs = false
since there were breaking changes in these settings afterauditd
version2.6.0
. - Add support for
log_format = ENHANCED
forauditd
version >=2.6.0
. Older versions will simply fall back toRAW
.
- Tue Oct 16 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 8.1.0-0
- Removed unnecessary dependencies from metadata.json. Now, when users install
auditd stand-alone i.e.
puppet module install
, they will not have extraneous modules clutter their environment.- herculesteam/augeasproviders_grub
- simp/rsyslog
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 8.1.0-0
- Changed the $package_ensure parameter from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0
- Update Hiera 4 to Hiera 5
- Fri Jul 27 2018 Brandon Ess brandon.ess@gmail.com - 8.1.0-0
- Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.
- Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0
- Updated to work with Puppet 5 and OEL
- Fri Jul 06 2018 Trey Dockendorf tdockendorf@osc.edu - 8.0.1-0
- Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.
- Thu Jun 21 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0
- Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
- The following API Changes were made in support of multiple audit
profiles:
- $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
- auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
- The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
- The following auditd::config::audit_profiles::simp class parameters
have been deprecated for clarity:
- $audit_sudoers has been deprecated by $audit_cfg_sudoers
- $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
- $audit_grub has been deprecated by $audit_cfg_grub
- $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
- $audit_yum has been deprecated by $audit_cfg_yum
- $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
- Some previously hard-coded, internal configuration is now exposed as data-in-modules.
- Added 'stig' audit profile which manages rules that match DISA STIG
checks, exactly.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
- Fixed bugs in 'simp' audit profile
- Fixed umask syscall rules. These rules require arch filters.
- Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
- Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
- Fixed bug in which the /etc/pam.d watch rule had the wrong tag
- Updated 'simp' audit profile settings for DISA STIG.
- Expanded the list of successful syscall operations audited.
- Expanded the list of module syscall operations audited
- Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
- Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
- Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
- Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
- Added an option to audit the execution of the 'ssh-keysign' command
- Added an option to audit the execution of the 'crontab' command
- Added an option to audit the execution of the 'pam_timestamp_check' command
- Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
- Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
- Mon Mar 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.3-0
- Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.
- Tue Jan 09 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 7.1.3-0
- Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
- Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
- Ensured git installed as it's a dependency of our inspec profiles
- Mon Nov 13 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.2-0
- /var/run/faillock should be tagged under 'login'
- Thu Aug 31 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1-0
- Adjust audit.rules mode per inspec testing
- Mon Aug 21 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0
- Updated to use augeasproviders_grub 3
- Added the ability to log calls to the 'rpm' and 'yum' commands
- Mon May 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0
- Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
- Update puppet version in metadata.json
- Mon Mar 27 2017 Nicholas Hughes nicholasmhughes@github.com - 7.0.1-0
- Audit kernel module tools from /usr/bin as well as /bin and /sbin
- Correct auditing /var/log/tallylock, it should have been /var/log/tallylog
- Thu Feb 22 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0
- Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
- Changed all rules that were exit,always to be always,exit
- Tue Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0
- In response to the DISA STIG Requirements
- Added 'open_by_handle_at' to the 'access' key
- Added watches on /varlog/faillock and /var/log/tallylock
- Added watches on /usr/sbin/insmod and /bin/kmod
- Added permissions modification notification for 'chmod'
- Renamed auditd::add_rules to auditd::rule
- Split the audit permissions rules into separate lines
- Disabled chmod auditing by default
- Mon Dec 26 2016 Ralph Wright rwright@onyxpoint.com - 7.0.0-0
- Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0
- Refactor to work in Puppet 4 Changes
- Updated acceptance tests
- Mon Dec 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0
- Update version to reflect SIMP6 dependencies
- Fri Dec 09 2016 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0
- Updated global catalysts
- Changed default log facility to local5.
- Added a drop rule for crond events
- Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.1.2-0
- Minor cleanup
- Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0
- Allow user to specify syslog facility and priority for audit record messages.
- Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
- Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.
- Mon Aug 29 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.4-0
- Added booleans to toggle sections of audit rules.
- Tue Jul 26 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 5.0.3-0
- Fix for strict_variables failure
- Wed Jul 06 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.2-0
- Added a default audit rule for 'renameat', per CCE-26651-0.
- Added an auditd_version fact.
- Updated validation for *_action lists to differentiate between auditd versions.
- Updated module to use new rake helper to auto-gen .spec file.
- Thu May 19 2016 nicholasmhughes nicholasmhughes@gmail.com - 5.0.1-0
- Change
btmp
andwtmp
locations to/var/log
- Support dynamic audit log locations
- Thu Feb 18 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-4
- Added compliance function support
- Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-3
- Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.
- Thu Nov 19 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-2
- Full migration to
simplib
, removedcommon
andfunctions
.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1
- migration to simplib and simpcat (lib/ only)
- Tue Oct 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Module refactor to the new SIMP standard
- Fixes for the audit dispatcher and syslog connections
- Mon Sep 07 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-13
- Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.
- Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-12
- Updated to use the new rsyslog module.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Changed puppet-server requirement to puppet
- Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Updated auditd::to_syslog to support multiple log servers and support for native TLS.
- Sat Sep 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.
- Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Updated to use the new reboot_notify native type.
- Sun Jul 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Updated to support both grub and grub2
- Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
- Added support for /etc/audit/rules.d for RHEL7 systems.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Pointed concat fragment auditd+head at the correct template!
- Updated to support RHEL7
- Wed May 21 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Added the ability to put rules before the default rule body in audit.rules.
- Added validation to add_rules.pp.
- Fri Mar 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
- Spec tests were added.
- Fri Mar 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Added class for auditing grub.
- Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Converted all string booleans to native booleans.
- Mon Nov 04 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
- Removed the old rsyslog file tap on audit.log.
- Folded the auditd::conf define into the auditd main class since
parameterized classes eliminate the need for the define.
- Breaking Change
- Mon Oct 28 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-11
- Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
- Added checks for kernel module manipulation in accordance with CCE-26610-6.
- Mapped all audit rules to their associated SSG rules in the file template.
- Thu Oct 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-11
- Updated templates to reference instance variables with @
- Wed Jul 17 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-10
- Removed the sgid binary check in the audit rules because it doesn't actually make any sense.
- Thu Jun 27 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-9
- Added audit rules to catch the execution of sgid and suid binaries.
- Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
- Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
- Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
- Added default auditing to /etc/yum.conf and /etc/yum.repos.d
- Tue Apr 09 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-8
- Skip any rule that does not load properly so that we have as much of the configuration active as possible.
- Thu Dec 13 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7
- Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.
- Fri Nov 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6
- Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.
- Tue Sep 18 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5
- Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.
- Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3
- Improved test stubs.
- Mon Jan 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2
- Removed all references to 'entry' rules since they are deprecated.
- Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
- Added test stubs
- Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1
- Scoped all of the top level variables.
- Fri Oct 28 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Removed the base audit of /etc/ldap.conf since it was redundant.
- Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Thu Mar 17 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2
- Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.
- Fri Feb 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2
- Converting all spec files to check for directories prior to copy.
- Wed Jul 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1
- More code refactoring
- Made log_file configurable in to_syslog define.
- Wed May 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0
- Code + doc refactor
- Wed May 12 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-12
- Added the option $root_audit_level to auditd::conf
- The allowed strings are basic(default), aggressive, insane
- Basic(default): Safe, should not follow program execution outside of the base app
- Aggressive: Adds execve
- Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir
- The allowed strings are basic(default), aggressive, insane
- Fri Feb 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-11
- Removed watch on /etc. That was a very bad rule.
- Tue Dec 15 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-10
- Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 6.0.0)
- simp/simplib (>= 3.6.0 < 4.0.0)
auditd - A module to manage the Audit Daemon, Kernel Parameters, and related subsystems. Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.