diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule
new file mode 100644
index 0000000000..c69567f1c7
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/group'
+
+description: |-
+ The audit system should collect write events to /etc/group file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+
+rationale: |-
+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule
new file mode 100644
index 0000000000..c33354b287
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group'
+
+description: |-
+ The audit system should collect write events to /etc/group file for all group and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+
+rationale: |-
+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule
new file mode 100644
index 0000000000..61bde4d6e9
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/group'
+
+description: |-
+ The audit system should collect write events to /etc/group file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+
+rationale: |-
+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule
new file mode 100644
index 0000000000..0f91bb7d58
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd'
+
+description: |-
+ The audit system should collect write events to /etc/passwd file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule
new file mode 100644
index 0000000000..f1fab2b945
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/passwd'
+
+description: |-
+ The audit system should collect write events to /etc/passwd file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index 343ac9eb3c..68f4e38bc8 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -171,3 +171,8 @@ selections:
- audit_rules_kernel_module_loading_rmmod
- security_patches_up_to_date
- audit_rules_etc_passwd_open
+ - audit_rules_etc_passwd_openat
+ - audit_rules_etc_passwd_open_by_handle_at
+ - audit_rules_etc_group_open
+ - audit_rules_etc_group_openat
+ - audit_rules_etc_group_open_by_handle_at
diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py
new file mode 100644
index 0000000000..0283bf439c
--- /dev/null
+++ b/shared/templates/create_audit_rules_path_syscall.py
@@ -0,0 +1,33 @@
+#!/usr/bin/python2
+
+#
+# create_audit_rules_path_syscall_detailed.py
+# generate template-based checks for changes to a path via syscalls
+
+
+from template_common import FilesGenerator, UnknownTargetError
+
+import re
+
+class AuditRulesPathSyscallGenerator(FilesGenerator):
+ def generate(self, target, args):
+ path,syscall = args[0:2]
+ pathid = re.sub('[-\./]', '_', path)
+ # remove root slash made into '_'
+ pathid = pathid[1:]
+ if target == "oval":
+ self.file_from_template(
+ "./template_OVAL_audit_rules_path_syscall",
+ {
+ "PATH": path,
+ "PATHID": pathid,
+ "SYSCALL": syscall
+ },
+ "./oval/audit_rules_{0}_{1}.xml", pathid, syscall
+ )
+ else:
+ raise UnknownTargetError(target)
+
+ def csv_format(self):
+ return("CSV should contains lines of the format: " +
+ "PATH,SYSCALL")
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
new file mode 100644
index 0000000000..015f02f58d
--- /dev/null
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
@@ -0,0 +1,11 @@
+# format:
+# ,
+# - path is the absolute path to watch
+# - syscall is the syscall to wath the path for
+
+/etc/passwd,open
+/etc/passwd,openat
+/etc/passwd,open_by_handle_at
+/etc/group,open
+/etc/group,openat
+/etc/group,open_by_handle_at
diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/templates/template_OVAL_audit_rules_path_syscall
similarity index 52%
rename from shared/checks/oval/audit_rules_etc_passwd_open.xml
rename to shared/templates/template_OVAL_audit_rules_path_syscall
index fd5c3efb28..dcc1d7b0a2 100644
--- a/shared/checks/oval/audit_rules_etc_passwd_open.xml
+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
@@ -1,12 +1,12 @@
-
+
- Ensure auditd Collects Write Events to /etc/passwd
+ Ensure auditd Collects Write Events to {{{ PATH }}}
Red Hat Enterprise Linux 7
multi_platform_fedora
- Audit rules about the write events to /etc/passwd
+ Audit rules about the write events to {{{ PATH }}}
@@ -14,26 +14,26 @@
-
+
-
+
-
+
-
+
@@ -41,55 +41,55 @@
-
- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+
+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
-
- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+
+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
-
+
-
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" version="1">
+
-
+
/etc/audit/rules\.d/.*\.rules
-
+
1
-
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" version="1">
+
-
+
/etc/audit/rules\.d/.*\.rules
-
+
1
-
+
-
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" version="1">
+
-
+
/etc/audit/audit.rules
-
+
1
-
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" version="1">
+
-
+
/etc/audit/audit.rules
-
+
1
diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py
index b0fdf5fcc9..c8930ee05c 100644
--- a/shared/templates/template_common.py
+++ b/shared/templates/template_common.py
@@ -78,14 +78,15 @@ def get_template_filename(self, filename):
raise TemplateNotFoundError(filename, paths)
def file_from_template(self, template_filename, constants,
- filename_format, filename_value):
+ filename_format, filename_value, *extra_filename_args):
"""
Load template, fill constant and create new file
"""
template_filepath = self.get_template_filename(template_filename)
+ format_args = (filename_value,) + extra_filename_args
output_filepath = os.path.join(
- self.output_dir, filename_format.format(filename_value)
+ self.output_dir, filename_format.format(*format_args)
)
if self.action == ActionType.INPUT: