From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 15 May 2020 11:52:35 +0200

Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line

Very likey a copy-pasta error from bash remediation for

audit_rules_immutable

---

 .../audit_rules_system_shutdown/bash/shared.sh                  | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

index 1c9748ce9b..b56513cdcd 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

@@ -8,7 +8,7 @@

 # files to check if '-f .*' setting is present in that '*.rules' file already.

 # If found, delete such occurrence since auditctl(8) manual page instructs the

 # '-f 2' rule should be placed as the last rule in the configuration

-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'

+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'

 # Append '-f 2' requirement at the end of both:

 # * /etc/audit/audit.rules file 		(for auditctl case)

From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 15 May 2020 12:12:21 +0200

Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown

Along with very basic test scenarios

---

 .../ansible/shared.yml                        | 28 +++++++++++++++++++

 .../tests/augen_correct.pass.sh               |  4 +++

 .../tests/augen_e_2_immutable.fail.sh         |  3 ++

 3 files changed, 35 insertions(+)

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml

new file mode 100644

index 0000000000..b9e8fa87fa

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml

@@ -0,0 +1,28 @@

+# platform = multi_platform_all

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: Collect all files from /etc/audit/rules.d with .rules extension

+  find:

+    paths: "/etc/audit/rules.d/"

+    patterns: "*.rules"

+  register: find_rules_d

+

+- name: Remove the -f option from all Audit config files

+  lineinfile:

+    path: "{{ item }}"

+    regexp: '^\s*(?:-f)\s+.*$'

+    state: absent

+  loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"

+

+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules

+  lineinfile:

+    path: "{{ item }}"

+    create: True

+    line: "-f 2"

+  loop:

+    - "/etc/audit/audit.rules"

+    - "/etc/audit/rules.d/immutable.rules"

+

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh

new file mode 100644

index 0000000000..0587b937e0

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+echo "-e 2" > /etc/audit/rules.d/immutable.rules

+echo "-f 2" >> /etc/audit/rules.d/immutable.rules

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh

new file mode 100644

index 0000000000..fa5b7231df

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+echo "-e 2" > /etc/audit/rules.d/immutable.rules

From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 15 May 2020 14:06:08 +0200

Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name

---

 .../audit_rules_immutable/ansible/shared.yml                    | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

index 5ac7b3dabb..1cafb744cc 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

@@ -17,7 +17,7 @@

     state: absent

   loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"

-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules

+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules

   lineinfile:

     path: "{{ item }}"

     create: True

From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 19 May 2020 11:02:56 +0200

Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix

---

 .../audit_rules_system_shutdown/bash/shared.sh            | 8 --------

 1 file changed, 8 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

index b56513cdcd..a349bb1ca1 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh

@@ -4,16 +4,8 @@

 #

 # /etc/audit/audit.rules,			(for auditctl case)

 # /etc/audit/rules.d/*.rules			(for augenrules case)

-#

-# files to check if '-f .*' setting is present in that '*.rules' file already.

-# If found, delete such occurrence since auditctl(8) manual page instructs the

-# '-f 2' rule should be placed as the last rule in the configuration

 find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'

-# Append '-f 2' requirement at the end of both:

-# * /etc/audit/audit.rules file 		(for auditctl case)

-# * /etc/audit/rules.d/immutable.rules		(for augenrules case)

-

 for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"

 do

 	echo '' >> $AUDIT_FILE