From e0a51fa56dbdf13392b9e7730fbb8caf58f6a4cc Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 3 Apr 2020 14:29:17 +0200
Subject: [PATCH] Fix regex in remediation
Binaries with common prefix (sudo vs sudoedit) were not handled properly
Force ordering of account and audit group
Rename rhel7 tests and make them applicable for rhel8 too
Add regression tests
Explain and make reordering pretty
---
...ctl_default.fail.sh => auditctl_default.fail.sh} | 2 +-
...g_rule.fail.sh => auditctl_missing_rule.fail.sh} | 2 +-
...l_one_rule.fail.sh => auditctl_one_rule.fail.sh} | 4 ++--
...ed.pass.sh => auditctl_rules_configured.pass.sh} | 2 +-
...s_default.fail.sh => augenrules_default.fail.sh} | 2 +-
...icated.fail.sh => augenrules_duplicated.fail.sh} | 2 +-
...rule.fail.sh => augenrules_missing_rule.fail.sh} | 2 +-
.../tests/augenrules_one_rule.fail.sh | 7 +++++++
....pass.sh => augenrules_rules_configured.pass.sh} | 2 +-
... augenrules_rules_configured_mixed_keys.pass.sh} | 2 +-
...l.sh => augenrules_two_rules_mixed_keys.fail.sh} | 2 +-
...il.sh => augenrules_two_rules_sep_files.fail.sh} | 2 +-
.../tests/rhel7_augenrules_one_rule.fail.sh | 7 -------
...h_own_key.pass.sh => rules_with_own_key.pass.sh} | 2 +-
...m_audit_rules_privileged_commands_remediation.sh | 2 +-
ssg/build_yaml.py | 13 +++++++++++--
16 files changed, 32 insertions(+), 23 deletions(-)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_default.fail.sh => auditctl_default.fail.sh} (74%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_missing_rule.fail.sh => auditctl_missing_rule.fail.sh} (82%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_one_rule.fail.sh => auditctl_one_rule.fail.sh} (50%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_rules_configured.pass.sh => auditctl_rules_configured.pass.sh} (80%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_default.fail.sh => augenrules_default.fail.sh} (63%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_duplicated.fail.sh => augenrules_duplicated.fail.sh} (85%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_missing_rule.fail.sh => augenrules_missing_rule.fail.sh} (78%)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured.pass.sh => augenrules_rules_configured.pass.sh} (74%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured_mixed_keys.pass.sh => augenrules_rules_configured_mixed_keys.pass.sh} (83%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_mixed_keys.fail.sh => augenrules_two_rules_mixed_keys.fail.sh} (84%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_sep_files.fail.sh => augenrules_two_rules_sep_files.fail.sh} (84%)
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_rules_with_own_key.pass.sh => rules_with_own_key.pass.sh} (70%)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
similarity index 74%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
index 5668e9d59..b89717805 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
similarity index 82%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
index 9ff90cc2b..1b8f348c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
sed -i '/newgrp/d' /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
similarity index 50%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
index c74a0cc7c..16c6fada0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
similarity index 80%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
index c9f338efd..911ce1798 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
similarity index 63%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
index 4713a5360..6281f0751 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
# augenrules is default for rhel7
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
similarity index 85%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
index 19b12d090..c01b95aa9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh
@@ -2,7 +2,7 @@
# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss
# Remediation for this rule cannot remove the duplicates
# remediation = none
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
similarity index 78%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
index c007f5dd2..ba3b8dd57 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
new file mode 100644
index 000000000..a136bb885
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+mkdir -p /etc/audit/rules.d
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
similarity index 74%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
index 913ca4402..2badda362 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
similarity index 83%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
index a0ba4fac7..2a9c64215 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
similarity index 84%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
index bc4a7c4bf..316d836d4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
similarity index 84%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
index 0e7091053..78db285d1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
mkdir -p /etc/audit/rules.d
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
deleted file mode 100644
index 591109a01..000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-# remediation = bash
-# platform = Red Hat Enterprise Linux 7
-
-mkdir -p /etc/audit/rules.d
-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
similarity index 70%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
index c40fd133d..123dd6dcd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
# remediation = bash
-# platform = Red Hat Enterprise Linux 7,Fedora
+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index 6112f6adb..f595c71cb 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -99,7 +99,7 @@ do
# * existing rule contains all arguments from expected rule form (though can contain
# them in arbitrary order)
- base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
+ base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \
-e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
-e '/-k \|-F key=/!d' "$afile")
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index 5e681b7e0..e3e138283 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -695,13 +695,22 @@ class Group(object):
# top level group, this ensures groups that further configure a package or service
# are after rules that install or remove it.
groups_in_group = list(self.groups.keys())
+ # The account group has to precede audit group because
+ # the rule package_screen_installed is desired to be executed before the rule
+ # audit_rules_privileged_commands, othervise the rule
+ # does not catch newly installed screeen binary during remediation
+ # and report fail
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
# the firewalld_activation must come before ruleset_modifications, othervise
# remediations for ruleset_modifications won't work
# rules from group disabling_ipv6 must precede rules from configuring_ipv6,
# otherwise the remediation prints error although it is successful
- priority_order = ["fips", "crypto", "firewalld_activation",
- "ruleset_modifications", "disabling_ipv6", "configuring_ipv6"]
+ priority_order = [
+ "accounts", "auditing",
+ "fips", "crypto",
+ "firewalld_activation", "ruleset_modifications",
+ "disabling_ipv6", "configuring_ipv6"
+ ]
groups_in_group = reorder_according_to_ordering(groups_in_group, priority_order)
for group_id in groups_in_group:
_group = self.groups[group_id]
--
2.21.1