|
 |
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
index 5784e5ad8f..a80c7dab8c 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
index 81841900f0..6181ad50f1 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
index 3515398d50..9a69643a34 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
index deb20d24c5..630b03b1b4 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
index d65c9171e4..f1b9fbcd17 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
index da910036b2..5460009264 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
index 9ab984491e..4164f7b44f 100644
|
|
|
575137 |
--- a/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
+++ b/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
@@ -26,6 +26,29 @@ def generate(self, target, args):
|
|
|
575137 |
},
|
|
|
575137 |
"./oval/audit_rules_{0}_{1}.xml", pathid, syscall
|
|
|
575137 |
)
|
|
|
575137 |
+
|
|
|
575137 |
+ elif target == "bash":
|
|
|
575137 |
+ self.file_from_template(
|
|
|
575137 |
+ "./template_BASH_audit_rules_path_syscall",
|
|
|
575137 |
+ {
|
|
|
575137 |
+ "PATH": path,
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
+ },
|
|
|
575137 |
+ "./bash/audit_rules_{0}_{1}.sh", pathid, syscall
|
|
|
575137 |
+ )
|
|
|
575137 |
+
|
|
|
575137 |
+ elif target == "ansible":
|
|
|
575137 |
+ self.file_from_template(
|
|
|
575137 |
+ "./template_ANSIBLE_audit_rules_path_syscall",
|
|
|
575137 |
+ {
|
|
|
575137 |
+ "PATH": path,
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
+ },
|
|
|
575137 |
+ "./ansible/audit_rules_{0}_{1}.yml", pathid, syscall
|
|
|
575137 |
+ )
|
|
|
575137 |
+
|
|
|
575137 |
else:
|
|
|
575137 |
raise UnknownTargetError(target)
|
|
|
575137 |
|
|
|
575137 |
diff --git a/shared/templates/template_ANSIBLE_audit_rules_path_syscall b/shared/templates/template_ANSIBLE_audit_rules_path_syscall
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..4a27e0f521
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/shared/templates/template_ANSIBLE_audit_rules_path_syscall
|
|
|
575137 |
@@ -0,0 +1,76 @@
|
|
|
575137 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
575137 |
+# reboot = true
|
|
|
575137 |
+# strategy = restrict
|
|
|
575137 |
+# complexity = low
|
|
|
575137 |
+# disruption = low
|
|
|
575137 |
+
|
|
|
575137 |
+#
|
|
|
575137 |
+# What architecture are we on?
|
|
|
575137 |
+#
|
|
|
575137 |
+- name: Set architecture for audit {{{ SYSCALL }}} tasks
|
|
|
575137 |
+ set_fact:
|
|
|
575137 |
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
575137 |
+
|
|
|
575137 |
+#
|
|
|
575137 |
+# Inserts/replaces the rule in /etc/audit/rules.d
|
|
|
575137 |
+#
|
|
|
575137 |
+- name: Search /etc/audit/rules.d for other DAC audit rules
|
|
|
575137 |
+ find:
|
|
|
575137 |
+ paths: "/etc/audit/rules.d"
|
|
|
575137 |
+ recurse: no
|
|
|
575137 |
+ contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*"
|
|
|
575137 |
+ patterns: "*.rules"
|
|
|
575137 |
+ register: find_{{{ SYSCALL }}}
|
|
|
575137 |
+
|
|
|
575137 |
+- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule
|
|
|
575137 |
+ set_fact:
|
|
|
575137 |
+ all_files:
|
|
|
575137 |
+ - /etc/audit/rules.d/modify.rules
|
|
|
575137 |
+ when: find_{{{ SYSCALL }}}.matched == 0
|
|
|
575137 |
+
|
|
|
575137 |
+- name: Use matched file as the recipient for the rule
|
|
|
575137 |
+ set_fact:
|
|
|
575137 |
+ all_files:
|
|
|
575137 |
+ - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}"
|
|
|
575137 |
+ when: find_{{{ SYSCALL }}}.matched > 0
|
|
|
575137 |
+
|
|
|
575137 |
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86
|
|
|
575137 |
+ lineinfile:
|
|
|
575137 |
+ path: "{{ all_files[0] }}"
|
|
|
575137 |
+ line: "{{ item }}"
|
|
|
575137 |
+ create: yes
|
|
|
575137 |
+ regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
|
|
|
575137 |
+ with_items:
|
|
|
575137 |
+ - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
|
|
|
575137 |
+
|
|
|
575137 |
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64
|
|
|
575137 |
+ lineinfile:
|
|
|
575137 |
+ path: "{{ all_files[0] }}"
|
|
|
575137 |
+ line: "{{ item }}"
|
|
|
575137 |
+ create: yes
|
|
|
575137 |
+ regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
|
|
|
575137 |
+ with_items:
|
|
|
575137 |
+ - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
|
|
|
575137 |
+ when: audit_arch == 'b64'
|
|
|
575137 |
+#
|
|
|
575137 |
+# Inserts/replaces the rule in /etc/audit/audit.rules
|
|
|
575137 |
+#
|
|
|
575137 |
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86
|
|
|
575137 |
+ lineinfile:
|
|
|
575137 |
+ line: "{{ item }}"
|
|
|
575137 |
+ state: present
|
|
|
575137 |
+ dest: /etc/audit/audit.rules
|
|
|
575137 |
+ regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
|
|
|
575137 |
+ with_items:
|
|
|
575137 |
+ - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
|
|
|
575137 |
+
|
|
|
575137 |
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64
|
|
|
575137 |
+ lineinfile:
|
|
|
575137 |
+ line: "{{ item }}"
|
|
|
575137 |
+ state: present
|
|
|
575137 |
+ dest: /etc/audit/audit.rules
|
|
|
575137 |
+ create: yes
|
|
|
575137 |
+ regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
|
|
|
575137 |
+ with_items:
|
|
|
575137 |
+ - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
|
|
|
575137 |
+ when: audit_arch == 'b64'
|
|
|
575137 |
diff --git a/shared/templates/template_BASH_audit_rules_path_syscall b/shared/templates/template_BASH_audit_rules_path_syscall
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..c3d31aade9
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/shared/templates/template_BASH_audit_rules_path_syscall
|
|
|
575137 |
@@ -0,0 +1,18 @@
|
|
|
575137 |
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
575137 |
+
|
|
|
575137 |
+# Include source function library.
|
|
|
575137 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
575137 |
+
|
|
|
575137 |
+# First perform the remediation of the syscall rule
|
|
|
575137 |
+# Retrieve hardware architecture of the underlying system
|
|
|
575137 |
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
575137 |
+
|
|
|
575137 |
+for ARCH in "${RULE_ARCHS[@]}"
|
|
|
575137 |
+do
|
|
|
575137 |
+ PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*"
|
|
|
575137 |
+ GROUP="modify"
|
|
|
575137 |
+ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
|
|
|
575137 |
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
|
|
|
575137 |
+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
575137 |
+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
575137 |
+done
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
index a9a4207877..8db9eab037 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
index 0eabbe097c..532ecedb88 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
index 6e17de9c20..72254d5c5c 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
index 7b7b6bc76d..d4e169dcc6 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
|
|
|
575137 |
index 472b62ee57..409e96ad73 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
index 595a97ab22..9aca34dd42 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
index 6ef86ff816..b8c14e63f8 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
|
|
|
575137 |
index 8c4aaaac25..a6c4c8814f 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
|
|
|
575137 |
index 28ee5ffd9d..7b7f1fd5c9 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
index 9c9ac0fad4..0747c40b70 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
@@ -1,7 +1,6 @@
|
|
|
575137 |
#!/bin/bash
|
|
|
575137 |
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
|
|
|
575137 |
echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|