From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Fri, 24 Jul 2015 16:21:04 +0200
Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for
 following rules: * audit_rules_time_adjtimex, *
 audit_rules_time_settimeofday, and * audit_rules_time_stime

Testing report:
--------------
Verified manually on RHEL-7 host the changes are working fine (in both
scenarios, expected rule not at all present in audit.rules configuration,
or expected rule partially present in audit.rules configuration)
---
 .../input/fixes/bash/audit_rules_time_adjtimex.sh  | 32 ++++++++++++++++++++++
 .../fixes/bash/audit_rules_time_settimeofday.sh    | 32 ++++++++++++++++++++++
 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh  | 32 ++++++++++++++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
 create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
 create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh

diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
new file mode 100644
index 0000000..43fdfbb
--- /dev/null
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
@@ -0,0 +1,32 @@
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+
+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
+
+	# Create expected audit group and audit rule form for particular system call & architecture
+	if [ ${ARCH} = "b32" ]
+	then
+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+		# so append it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\|stime\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
+	elif [ ${ARCH} = "b64" ]
+	then
+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+		# therefore don't add it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
+	fi
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done
diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
new file mode 100644
index 0000000..43fdfbb
--- /dev/null
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
@@ -0,0 +1,32 @@
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+
+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
+
+	# Create expected audit group and audit rule form for particular system call & architecture
+	if [ ${ARCH} = "b32" ]
+	then
+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+		# so append it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\|stime\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
+	elif [ ${ARCH} = "b64" ]
+	then
+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+		# therefore don't add it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
+	fi
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done
diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
new file mode 100644
index 0000000..43fdfbb
--- /dev/null
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
@@ -0,0 +1,32 @@
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+
+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
+
+	# Create expected audit group and audit rule form for particular system call & architecture
+	if [ ${ARCH} = "b32" ]
+	then
+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+		# so append it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\|stime\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
+	elif [ ${ARCH} = "b64" ]
+	then
+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+		# therefore don't add it to the list of time group system calls to be audited
+		GROUP="\(adjtimex\|settimeofday\)"
+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
+	fi
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done