skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   575137e6a33f80e1d70ec7248ee82b9a9e1a9913
  2.   SOURCES
  3.   audit_var_log_directory_access.patch
Blob Blame History Raw 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
new file mode 100644
index 0000000000..31b65a0833
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Search /etc/audit/rules.d for audit rule entries
+  find:
+    paths: /etc/audit/rules.d
+    recurse: false
+    contains: ^.*dir=/var/log/audit/.*$
+    patterns: '*.rules'
+  register: find_var_log_audit
+
+- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule
+  set_fact:
+    all_files:
+    - /etc/audit/rules.d/access-audit-trail.rules
+  when: find_var_log_audit.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_files:
+    - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}'
+  when: find_var_log_audit.matched > 0
+
+- name: Inserts/replaces the /var/log/audit/ rule in rules.d
+  lineinfile:
+    path: '{{ all_files[0] }}'
+    line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
+      -F key=access-audit-trail
+    create: true
+
+- name: Inserts/replaces the /var/log/audit/ rule in audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
+      -F key=access-audit-trail
+    create: true
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
new file mode 100644
index 0000000000..515bef7b85
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8, multi_platform_fedora, multi_platform_ol,multi_platform_rhv
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*"
+GROUP="access-audit-trail"
+FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail"
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
index e9b1d56af3..2a8a51ff2e 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
index 1c68a3229b..ba4086d9b7 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
index 58ef8bc15f..891cddefb7 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
index 29f0f2d38e..18ca9936fa 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
index 82eae1895d..617e93d121 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation