From 0e35c48ff14ed2cdcf16d79da52a276ee89ad7ce Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 19 Oct 2020 13:59:39 +0200
Subject: [PATCH 01/10] remove perm=x from ansible, oval and rule.yaml
this aligns with other audit_rules_privileged_commands_* which are handled by template
---
.../audit_rules_privileged_commands/ansible/shared.yml | 6 +++---
.../audit_rules_privileged_commands/oval/shared.xml | 4 ++--
.../audit_rules_privileged_commands/rule.yml | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 9a8f91020c..79edfe1771 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -28,7 +28,7 @@
- name: Overwrites the rule in rules.d
lineinfile:
path: "{{ item.1.path }}"
- line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
create: no
regexp: "^.*path={{ item.0.item }} .*$"
with_subelements:
@@ -38,7 +38,7 @@
- name: Adds the rule in rules.d
lineinfile:
path: /etc/audit/rules.d/privileged.rules
- line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
create: yes
with_items:
- "{{ files_result.results }}"
@@ -49,7 +49,7 @@
- name: Inserts/replaces the rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
- line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
create: yes
regexp: "^.*path={{ item.item }} .*$"
with_items:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
index 798cffa42d..278bf6cb55 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
@@ -68,7 +68,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arpc_suid_sgid_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]q|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
<filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
</ind:textfilecontent54_object>
@@ -92,7 +92,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arpc_suid_sgid_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
<filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
index b64ba71099..9bc45ba933 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
@@ -14,13 +14,13 @@ description: |-
<tt>/etc/audit/rules.d</tt> for each setuid / setgid program on the system,
replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid /
setgid program in the list:
- <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt> for each setuid / setgid program on the
system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that
setuid / setgid program in the list:
- <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
From 96ac5e82f8ced55f7d49711520057dccba46e218 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 19 Oct 2020 14:00:24 +0200
Subject: [PATCH 02/10] align with other rules fixing auditing of privileged
commands
remove the part checking perm= permissions
change how the rule key is handled (-k vs -F key=)
---
...t_rules_privileged_commands_remediation.sh | 29 ++-----------------
1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index d5df7b23b9..ff76b250f0 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -79,7 +79,7 @@ do
local count_of_inspected_files=0
# Define expected rule form for this binary
- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
+ expected_rule="-a always,exit -F path=${sbinary} -F auid>=${min_auid} -F auid!=unset -F key=privileged"
# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
@@ -101,7 +101,7 @@ do
# them in arbitrary order)
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \
- -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
+ -e '/-F path=[^[:space:]]\+/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
-e '/-k \|-F key=/!d' "$afile")
@@ -127,31 +127,6 @@ do
# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- # Separate concrete_rule into three sections using hash '#'
- # sign as a delimiter around rule's permission section borders
- concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")"
-
- # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
-
- rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
- rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
- rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
-
- # Extract already present exact access type [r|w|x|a] from rule's permission section
- access_type=${rule_perm//-F perm=/}
-
- # Verify current permission access type(s) for rule contain 'x' (execute) permission
- if ! grep -q "$exec_access" <<< "$access_type"
- then
-
- # If not, append the 'x' (execute) permission to the existing access type bits
- access_type="$access_type$exec_access"
- # Reconstruct the permissions section for the rule
- new_rule_perm="-F perm=$access_type"
- # Update existing rule in current audit rules file with the new permission section
- sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile"
-
- fi
# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
#
From e5a65a1de7eda39e237401417196e87fbc6ea840 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Oct 2020 09:25:45 +0200
Subject: [PATCH 03/10] unify rule key for ansible remediation of
audit_rules_privileged_commands
---
.../audit_rules_privileged_commands/ansible/shared.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 79edfe1771..2433073a05 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -28,7 +28,7 @@
- name: Overwrites the rule in rules.d
lineinfile:
path: "{{ item.1.path }}"
- line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
create: no
regexp: "^.*path={{ item.0.item }} .*$"
with_subelements:
@@ -38,7 +38,7 @@
- name: Adds the rule in rules.d
lineinfile:
path: /etc/audit/rules.d/privileged.rules
- line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
create: yes
with_items:
- "{{ files_result.results }}"
@@ -49,7 +49,7 @@
- name: Inserts/replaces the rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
- line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
+ line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
create: yes
regexp: "^.*path={{ item.item }} .*$"
with_items:
From 573d95dce8872e66738eae427a2ab0ec4ef84a79 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 23 Oct 2020 13:46:47 +0200
Subject: [PATCH 04/10] fix typo in oval
---
.../audit_rules_privileged_commands/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
index 278bf6cb55..a04e9df71a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
@@ -68,7 +68,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arpc_suid_sgid_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]q|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
<filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
</ind:textfilecontent54_object>
From 463462b27143b4d6c5246d20fc5c7dbc7ac4d48b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 23 Oct 2020 14:54:16 +0200
Subject: [PATCH 05/10] modify tests
---
.../tests/auditctl_one_rule.fail.sh | 2 +-
.../tests/auditctl_rules_with_perm_x.fail.sh | 7 +++++++
.../tests/augenrules_one_rule.fail.sh | 2 +-
.../tests/augenrules_rules_with_perm_x.fail.sh | 8 ++++++++
.../tests/augenrules_two_rules_mixed_keys.fail.sh | 4 ++--
.../tests/augenrules_two_rules_sep_files.fail.sh | 4 ++--
.../tests/generate_privileged_commands_rule.sh | 2 +-
7 files changed, 22 insertions(+), 7 deletions(-)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
index 5d2550760a..3f534d4deb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
@@ -2,5 +2,5 @@
# remediation = bash
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
+echo "-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
new file mode 100644
index 0000000000..0ba1cfb201
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# remediation = bash
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
+sed -i -E 's/^(.*path=[[:graph:]]+ )(.*$)/\1-F perm=x \2/' /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
index 0388acc598..ff78e3de3f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
@@ -3,4 +3,4 @@
# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
-echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
new file mode 100644
index 0000000000..473d8a0b86
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# remediation = bash
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+mkdir -p /etc/audit/rules.d
+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
+sed -i -E 's/^(.*path=[[:graph:]]+ )(.*$)/\1-F perm=x \2/' /etc/audit/rules.d/privileged.rules
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
index 1119dfaf35..8c7f04794c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
@@ -3,5 +3,5 @@
# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
-echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
index 992d66ed27..b7258fe027 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
@@ -3,5 +3,5 @@
# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules
-echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules
+echo "-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
index 9dc0cd1ce2..ee4b678d6c 100755
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
@@ -4,5 +4,5 @@ AUID=$1
KEY=$2
RULEPATH=$3
for file in $(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do
- echo "-a always,exit -F path=$file -F perm=x -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
+ echo "-a always,exit -F path=$file -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
done
From e64e9228aadaddf8583a8ebf324d461410ca7197 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 23 Oct 2020 14:55:41 +0200
Subject: [PATCH 06/10] fix remediation
---
.../perform_audit_rules_privileged_commands_remediation.sh | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index ff76b250f0..4e8aa1740d 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -103,13 +103,12 @@ do
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \
-e '/-F path=[^[:space:]]\+/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
+ -e '/-F perm=[rwxa]\+/d' \
-e '/-k \|-F key=/!d' "$afile")
# Increase the count of inspected files for this sbinary
count_of_inspected_files=$((count_of_inspected_files + 1))
- # Require execute access type to be set for existing audit rule
- exec_access='x'
# Search current audit rules file's content for presence of rule pattern for this sbinary
if [[ $base_search ]]
From d1ddd29ad33fcdc74c6201fe67c9ca1aa7f152f6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 23 Oct 2020 14:55:55 +0200
Subject: [PATCH 07/10] change rule description
---
.../audit_rules_privileged_commands/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
index 9bc45ba933..e597e49527 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
@@ -3,8 +3,8 @@ documentation_complete: true
title: 'Ensure auditd Collects Information on the Use of Privileged Commands'
description: |-
- At a minimum, the audit system should collect the execution of
- privileged commands for all users and root. To find the relevant setuid /
+ The audit system should collect information about usage of privileged
+ commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
<i>PART</i>:
<pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null</pre>
From 51db8d7b8260f7b0c89f99b6d2e6780ae08de74a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 30 Oct 2020 13:48:57 +0100
Subject: [PATCH 08/10] modify bash remediation to better handle rules with
perm flag
---
...t_rules_privileged_commands_remediation.sh | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index 4e8aa1740d..11e2f9fdd7 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -103,7 +103,6 @@ do
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \
-e '/-F path=[^[:space:]]\+/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
- -e '/-F perm=[rwxa]\+/d' \
-e '/-k \|-F key=/!d' "$afile")
# Increase the count of inspected files for this sbinary
@@ -123,10 +122,26 @@ do
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
+ # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
+ # if there is aa -F perm flag, remove it
+ if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then
+ # Separate concrete_rule into three sections using hash '#'
+ # sign as a delimiter around rule's permission section borders
+ # note that the trailing space after perm flag is captured because there would be
+ # two consecutive spaces after joining remaining parts of the rule together
+ concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")"
+
+ # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
+ rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
+ rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
+ rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
+
+ # Remove permissions section from existing rule in the file
+ sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile"
+ fi
# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
#
# * in the "auditctl" mode of operation insert particular rule each time
From d2abc07778453eeac47c6bbf4e125bf5d4fdda7d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 2 Nov 2020 09:08:54 +0100
Subject: [PATCH 09/10] fix typos in comments
---
.../perform_audit_rules_privileged_commands_remediation.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index 11e2f9fdd7..3ed6f10d86 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -122,10 +122,10 @@ do
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
+ # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- # if there is aa -F perm flag, remove it
+ # if there is a -F perm flag, remove it
if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then
# Separate concrete_rule into three sections using hash '#'
From 520c95a89c9c530a81e452fa7b4b4b4e5344e381 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Mon, 2 Nov 2020 09:52:53 +0100
Subject: [PATCH 10/10] Update
shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../perform_audit_rules_privileged_commands_remediation.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index 3ed6f10d86..532faeacef 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -122,7 +122,7 @@ do
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
+ # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
# if there is a -F perm flag, remove it