skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.41-audit_passwd_log_writes.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c7-alt
  2.   SOURCES
  3.   scap-security-guide-0.1.41-audit_passwd_log_writes.patch
Blob History Raw
28bffe 
diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/checks/oval/audit_rules_etc_passwd_open.xml
28bffe 
new file mode 100644
28bffe 
index 0000000000..fd5c3efb28
28bffe 
--- /dev/null
28bffe 
+++ b/shared/checks/oval/audit_rules_etc_passwd_open.xml
28bffe 
@@ -0,0 +1,96 @@
28bffe 
+<def-group>
28bffe 
+  <definition class="compliance" id="audit_rules_etc_passwd_open" version="1">
28bffe 
+    <metadata>
28bffe 
+      <title>Ensure auditd Collects Write Events to /etc/passwd</title>
28bffe 
+      <affected family="unix">
28bffe 
+        <platform>Red Hat Enterprise Linux 7</platform>
28bffe 
+        <platform>multi_platform_fedora</platform>
28bffe 
+      </affected>
28bffe 
+      <description>Audit rules about the write events to /etc/passwd</description>
28bffe 
+    </metadata>
28bffe 
+
28bffe 
+    <criteria operator="OR">
28bffe 
+
28bffe 
+
28bffe 
+      <criteria operator="AND">
28bffe 
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
28bffe 
+        <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_32bit_augenrules" />
28bffe 
+
28bffe 
+        <criteria operator="OR">
28bffe 
+
28bffe 
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
28bffe 
+
28bffe 
+          <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_64bit_augenrules" />
28bffe 
+        </criteria>
28bffe 
+      </criteria>
28bffe 
+
28bffe 
+
28bffe 
+      <criteria operator="AND">
28bffe 
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
28bffe 
+        <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_32bit_auditctl" />
28bffe 
+
28bffe 
+        <criteria operator="OR">
28bffe 
+
28bffe 
+          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
28bffe 
+
28bffe 
+          <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_64bit_auditctl" />
28bffe 
+        </criteria>
28bffe 
+      </criteria>
28bffe 
+
28bffe 
+    </criteria>
28bffe 
+  </definition>
28bffe 
+
28bffe 
+
28bffe 
+  <constant_variable id="var_audit_rule_32bit_open_write_etc_passwd_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe 
+  </constant_variable>
28bffe 
+
28bffe 
+  <constant_variable id="var_audit_rule_64bit_open_write_etc_passwd_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe 
+  </constant_variable>
28bffe 
+
28bffe 
+
28bffe 
+
28bffe 
+ comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_32bit_augenrules" version="1">
28bffe 
+    <ind:object object_ref="object_audit_rules_etc_passwd_open_32bit_augenrules" />
28bffe 
+  </ind:textfilecontent54_test>
28bffe 
+  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_32bit_augenrules" version="1">
28bffe 
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe 
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_open_write_etc_passwd_regex" />
28bffe 
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe 
+  </ind:textfilecontent54_object>
28bffe 
+
28bffe 
+
28bffe 
+ comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_64bit_augenrules" version="1">
28bffe 
+    <ind:object object_ref="object_audit_rules_etc_passwd_open_64bit_augenrules" />
28bffe 
+  </ind:textfilecontent54_test>
28bffe 
+  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_64bit_augenrules" version="1">
28bffe 
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe 
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_open_write_etc_passwd_regex" />
28bffe 
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe 
+  </ind:textfilecontent54_object>
28bffe 
+
28bffe 
+
28bffe 
+
28bffe 
+
28bffe 
+
28bffe 
+ comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_32bit_auditctl" version="1">
28bffe 
+    <ind:object object_ref="object_audit_rules_etc_passwd_open_32bit_auditctl" />
28bffe 
+  </ind:textfilecontent54_test>
28bffe 
+  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_32bit_auditctl" version="1">
28bffe 
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe 
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_open_write_etc_passwd_regex" />
28bffe 
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe 
+  </ind:textfilecontent54_object>
28bffe 
+
28bffe 
+
28bffe 
+ comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_64bit_auditctl" version="1">
28bffe 
+    <ind:object object_ref="object_audit_rules_etc_passwd_open_64bit_auditctl" />
28bffe 
+  </ind:textfilecontent54_test>
28bffe 
+  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_64bit_auditctl" version="1">
28bffe 
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe 
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_open_write_etc_passwd_regex" />
28bffe 
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe 
+  </ind:textfilecontent54_object>
28bffe 
+
28bffe 
+</def-group>
28bffe 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule
28bffe 
new file mode 100644
28bffe 
index 0000000000..6e4aabcbe8
28bffe 
--- /dev/null
28bffe 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule
28bffe 
@@ -0,0 +1,36 @@
28bffe 
+documentation_complete: true
28bffe 
+
28bffe 
+prodtype: rhel7,fedora
28bffe 
+
28bffe 
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/passwd'
28bffe 
+
28bffe 
+description: |-
28bffe 
+    The audit system should collect write events to /etc/passwd file for all users and root.
28bffe 
+    If the <tt>auditd</tt> daemon is configured
28bffe 
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe 
+    startup (the default), add the following lines to a file with suffix
28bffe 
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe 
+    
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe 
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe 
+    utility to read audit rules during daemon startup, add the following lines to
28bffe 
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe 
+    
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe 
+
28bffe 
+rationale: |-
28bffe 
+    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
28bffe 
+    Auditing these events could serve as evidence of potential system compromise.
28bffe 
+
28bffe 
+severity: medium
28bffe 
+
28bffe 
+references:
28bffe 
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe 
+
28bffe 
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
28bffe 
+
28bffe 
+warnings:
28bffe 
+    - general: |-
28bffe 
+        Note that these rules can be configured in a
28bffe 
+        number of ways while still achieving the desired effect. Here the system calls
28bffe 
+        have been placed independent of other system calls. Grouping system calls related
28bffe 
+        to the same event is more efficient. See the following example:
28bffe 
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe 
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
28bffe 
index 63b7223731..86fb0ff2fb 100644
28bffe 
--- a/rhel7/profiles/ospp42-draft.profile
28bffe 
+++ b/rhel7/profiles/ospp42-draft.profile
28bffe 
@@ -161,3 +161,4 @@ selections:
28bffe 
     - audit_rules_kernel_module_loading_modprobe
28bffe 
     - audit_rules_kernel_module_loading_rmmod
28bffe 
     - security_patches_up_to_date
28bffe 
+    - audit_rules_etc_passwd_open

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation