skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch
Blob History Raw
dac76a 
From e0a51fa56dbdf13392b9e7730fbb8caf58f6a4cc Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Fri, 3 Apr 2020 14:29:17 +0200
dac76a 
Subject: [PATCH] Fix regex in remediation
dac76a
dac76a 
Binaries with common prefix (sudo vs sudoedit) were not handled properly
dac76a 
Force ordering of account and audit group
dac76a 
Rename rhel7 tests and make them applicable for rhel8 too
dac76a 
Add regression tests
dac76a 
Explain and make reordering pretty
dac76a 
---
dac76a 
 ...ctl_default.fail.sh => auditctl_default.fail.sh} |  2 +-
dac76a 
 ...g_rule.fail.sh => auditctl_missing_rule.fail.sh} |  2 +-
dac76a 
 ...l_one_rule.fail.sh => auditctl_one_rule.fail.sh} |  4 ++--
dac76a 
 ...ed.pass.sh => auditctl_rules_configured.pass.sh} |  2 +-
dac76a 
 ...s_default.fail.sh => augenrules_default.fail.sh} |  2 +-
dac76a 
 ...icated.fail.sh => augenrules_duplicated.fail.sh} |  2 +-
dac76a 
 ...rule.fail.sh => augenrules_missing_rule.fail.sh} |  2 +-
dac76a 
 .../tests/augenrules_one_rule.fail.sh               |  7 +++++++
dac76a 
 ....pass.sh => augenrules_rules_configured.pass.sh} |  2 +-
dac76a 
 ... augenrules_rules_configured_mixed_keys.pass.sh} |  2 +-
dac76a 
 ...l.sh => augenrules_two_rules_mixed_keys.fail.sh} |  2 +-
dac76a 
 ...il.sh => augenrules_two_rules_sep_files.fail.sh} |  2 +-
dac76a 
 .../tests/rhel7_augenrules_one_rule.fail.sh         |  7 -------
dac76a 
 ...h_own_key.pass.sh => rules_with_own_key.pass.sh} |  2 +-
dac76a 
 ...m_audit_rules_privileged_commands_remediation.sh |  2 +-
dac76a 
 ssg/build_yaml.py                                   | 13 +++++++++++--
dac76a 
 16 files changed, 32 insertions(+), 23 deletions(-)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_default.fail.sh => auditctl_default.fail.sh} (74%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_missing_rule.fail.sh => auditctl_missing_rule.fail.sh} (82%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_one_rule.fail.sh => auditctl_one_rule.fail.sh} (50%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_rules_configured.pass.sh => auditctl_rules_configured.pass.sh} (80%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_default.fail.sh => augenrules_default.fail.sh} (63%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_duplicated.fail.sh => augenrules_duplicated.fail.sh} (85%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_missing_rule.fail.sh => augenrules_missing_rule.fail.sh} (78%)
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured.pass.sh => augenrules_rules_configured.pass.sh} (74%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured_mixed_keys.pass.sh => augenrules_rules_configured_mixed_keys.pass.sh} (83%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_mixed_keys.fail.sh => augenrules_two_rules_mixed_keys.fail.sh} (84%)
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_sep_files.fail.sh => augenrules_two_rules_sep_files.fail.sh} (84%)
dac76a 
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
dac76a 
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_rules_with_own_key.pass.sh => rules_with_own_key.pass.sh} (70%)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
dac76a 
similarity index 74%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
dac76a 
index 5668e9d59..b89717805 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7
dac76a 
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
dac76a 
similarity index 82%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
dac76a 
index 9ff90cc2b..1b8f348c4 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7
dac76a 
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
dac76a 
 sed -i '/newgrp/d' /etc/audit/audit.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
dac76a 
similarity index 50%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
dac76a 
index c74a0cc7c..16c6fada0 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7
dac76a 
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
dac76a 
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
dac76a 
similarity index 80%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
dac76a 
index c9f338efd..911ce1798 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7
dac76a 
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
dac76a 
similarity index 63%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
dac76a 
index 4713a5360..6281f0751 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 # augenrules is default for rhel7
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
dac76a 
similarity index 85%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
dac76a 
index 19b12d090..c01b95aa9 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
dac76a 
@@ -2,7 +2,7 @@
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # Remediation for this rule cannot remove the duplicates
dac76a 
 # remediation = none
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
dac76a 
similarity index 78%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
dac76a 
index c007f5dd2..ba3b8dd57 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
dac76a 
new file mode 100644
dac76a 
index 000000000..a136bb885
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
dac76a 
@@ -0,0 +1,7 @@
dac76a 
+#!/bin/bash
dac76a 
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
+# remediation = bash
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a 
+
dac76a 
+mkdir -p /etc/audit/rules.d
dac76a 
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
dac76a 
similarity index 74%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
dac76a 
index 913ca4402..2badda362 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
dac76a 
similarity index 83%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
dac76a 
index a0ba4fac7..2a9c64215 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
dac76a 
similarity index 84%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
dac76a 
index bc4a7c4bf..316d836d4 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
dac76a 
similarity index 84%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
dac76a 
index 0e7091053..78db285d1 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
dac76a 
@@ -1,7 +1,7 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 mkdir -p /etc/audit/rules.d
dac76a 
 echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
dac76a 
deleted file mode 100644
dac76a 
index 591109a01..000000000
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
dac76a 
+++ /dev/null
dac76a 
@@ -1,7 +0,0 @@
dac76a 
-#!/bin/bash
dac76a 
-# profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
-# remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7
dac76a 
-
dac76a 
-mkdir -p /etc/audit/rules.d
dac76a 
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
dac76a 
similarity index 70%
dac76a 
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh
dac76a 
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
dac76a 
index c40fd133d..123dd6dcd 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_pci-dss
dac76a 
 # remediation = bash
dac76a 
-# platform = Red Hat Enterprise Linux 7,Fedora
dac76a 
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a
dac76a 
 ./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules
dac76a 
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
dac76a 
index 6112f6adb..f595c71cb 100644
dac76a 
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
dac76a 
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
dac76a 
@@ -99,7 +99,7 @@ do
dac76a 
 		# * existing rule contains all arguments from expected rule form (though can contain
dac76a 
 		#   them in arbitrary order)
dac76a
dac76a 
-		base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d'		\
dac76a 
+		base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
dac76a 
 				-e '/-F path=[^[:space:]]\+/!d'   -e '/-F perm=.*/!d'						\
dac76a 
 				-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
dac76a 
 				-e '/-k \|-F key=/!d' "$afile")
dac76a 
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
dac76a 
index 5e681b7e0..e3e138283 100644
dac76a 
--- a/ssg/build_yaml.py
dac76a 
+++ b/ssg/build_yaml.py
dac76a 
@@ -695,13 +695,22 @@ class Group(object):
dac76a 
         # top level group, this ensures groups that further configure a package or service
dac76a 
         # are after rules that install or remove it.
dac76a 
         groups_in_group = list(self.groups.keys())
dac76a 
+        # The account group has to precede audit group because
dac76a 
+        # the rule package_screen_installed is desired to be executed before the rule
dac76a 
+        # audit_rules_privileged_commands, othervise the rule
dac76a 
+        # does not catch newly installed screeen binary during remediation
dac76a 
+        # and report fail
dac76a 
         # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
dac76a 
         # the firewalld_activation must come before ruleset_modifications, othervise
dac76a 
         # remediations for ruleset_modifications won't work
dac76a 
         # rules from group disabling_ipv6 must precede rules from configuring_ipv6,
dac76a 
         # otherwise the remediation prints error although it is successful
dac76a 
-        priority_order = ["fips", "crypto", "firewalld_activation",
dac76a 
-        "ruleset_modifications", "disabling_ipv6", "configuring_ipv6"]
dac76a 
+        priority_order = [
dac76a 
+            "accounts", "auditing",
dac76a 
+            "fips", "crypto",
dac76a 
+            "firewalld_activation", "ruleset_modifications",
dac76a 
+            "disabling_ipv6", "configuring_ipv6"
dac76a 
+        ]
dac76a 
         groups_in_group = reorder_according_to_ordering(groups_in_group, priority_order)
dac76a 
         for group_id in groups_in_group:
dac76a 
             _group = self.groups[group_id]
dac76a 
--
dac76a 
2.21.1
dac76a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation