From 47cbe417900d38f1ad98d9adee4b3382cdc80311 Mon Sep 17 00:00:00 2001 From: Nathan Peters Date: Fri, 5 Jan 2018 17:39:42 -0800 Subject: [PATCH 1/2] updated kernel module loading init and delete to use b32 and b64 --- shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 2 +- shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh index 97cdfae457..76a29eedc4 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh @@ -9,7 +9,7 @@ # it's not required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. Therefore for # each system it's enought to check presence of system's native rule form. -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh index 83f904bab7..ec275c91f8 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh @@ -9,7 +9,7 @@ # it's not required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. Therefore for # each system it's enought to check presence of system's native rule form. -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do From 23d66767a7f6100481f985d4282ffe19ab5bc26c Mon Sep 17 00:00:00 2001 From: Nathan Peters Date: Fri, 12 Jan 2018 10:31:51 -0800 Subject: [PATCH 2/2] updated comments to not contradict the remediation code --- shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 8 ++++---- shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh index 76a29eedc4..59aadeeef8 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh @@ -5,10 +5,10 @@ # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => -# it's not required on a 64-bit system to check also for the presence -# of 32-bit's equivalent of the corresponding rule. Therefore for -# each system it's enought to check presence of system's native rule form. +# If the system has a 32-bit processor, only the 32-bit rule is needed. +# If the system has a 64-bit processor, both arch 32 and 64 need to be included in +# the audit file because it is not possible to know if the computer will be booted +# in 64 or 32 bit mode or for which architecture a binary is compiled. [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh index ec275c91f8..04b06f9dee 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh @@ -5,10 +5,10 @@ # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => -# it's not required on a 64-bit system to check also for the presence -# of 32-bit's equivalent of the corresponding rule. Therefore for -# each system it's enought to check presence of system's native rule form. +# If the system has a 32-bit processor, only the 32-bit rule is needed. +# If the system has a 64-bit processor, both arch 32 and 64 need to be included in +# the audit file because it is not possible to know if the computer will be booted +# in 64 or 32 bit mode or for which architecture a binary is compiled. [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" From 27363bc92905f8b7a5271480c64051869f2565d8 Mon Sep 17 00:00:00 2001 From: Nathan Peters Date: Thu, 18 Jan 2018 17:18:07 -0800 Subject: [PATCH] fixed syntax issue with sed expression in auditd_data_retention_space_left.sh --- shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh index 1c13cd4e34..f4ae92b044 100644 --- a/shared/fixes/bash/auditd_data_retention_space_left.sh +++ b/shared/fixes/bash/auditd_data_retention_space_left.sh @@ -3,7 +3,7 @@ populate var_auditd_space_left grep -q ^space_left /etc/audit/auditd.conf && \ - sed -i "s/space_left.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf + sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf fi From 0aca8aa12b070625f138e4e1f90622e89e8b6f21 Mon Sep 17 00:00:00 2001 From: OnceUponALoop Date: Mon, 26 Feb 2018 20:58:06 -0600 Subject: [PATCH] Fixes #2607 - audit_rules_login_events --- shared/templates/create_audit_rules_login_events.py | 2 +- shared/templates/csv/audit_rules_login_events.csv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/create_audit_rules_login_events.py b/shared/templates/create_audit_rules_login_events.py index 111a27a130..3dc1f5cb0d 100644 --- a/shared/templates/create_audit_rules_login_events.py +++ b/shared/templates/create_audit_rules_login_events.py @@ -14,7 +14,7 @@ class AuditRulesLoginEventsGenerator(FilesGenerator): def generate(self, target, args): path = args[0] - name = re.sub('[-\./]', '_', os.path.basename(path)) + name = re.sub('[-\./]', '_', os.path.basename(os.path.normpath(path))) if target == "oval": self.file_from_template( "./template_OVAL_audit_rules_login_events", diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv index cdec8d6b8e..5c9793afbe 100644 --- a/shared/templates/csv/audit_rules_login_events.csv +++ b/shared/templates/csv/audit_rules_login_events.csv @@ -1,3 +1,3 @@ -/var/run/faillock +/var/run/faillock/ /var/log/lastlog /var/log/tallylog From 318cc38b11f8b7fc6d4a30dd7db20f5bc57a4c8d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 12 Mar 2018 18:37:34 +0100 Subject: [PATCH 1/4] Add tests for ensure_logrotate_activated --- .../rule_ensure_logrotate_activated/cron_daily_configured.pass.sh | 7 +++++++ .../logrotate_conf_configured.pass.sh | 8 ++++++++ .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 6 ++++++ .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 6 ++++++ 4 files changed, 27 insertions(+) create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh new file mode 100644 index 0000000000..2debba3186 --- /dev/null +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss + +# make sure config in logrotate conf is misconfigured +sed -i "s/daily/weekly/" /etc/logrotate.conf + +# default for cron.daily for RHEL7 is already correct diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh new file mode 100644 index 0000000000..0521eac274 --- /dev/null +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss + +# fix logrotate config +sed -i "s/weekly/daily/" /etc/logrotate.conf + +# remove default for cron.daily +rm /etc/cron.daily/logrotate diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh new file mode 100644 index 0000000000..671da30c0b --- /dev/null +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = none + +sed -i "s/daily/weekly/" /etc/logrotate.conf +rm /etc/cron.daily/logrotate diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh new file mode 100644 index 0000000000..69c0ca7ee5 --- /dev/null +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = none + +sed -i "/^daily/d" /etc/logrotate.conf +rm /etc/cron.daily/logrotate From 4301c45fffa27dfc03eee6b8b88301d888fb011b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 12 Mar 2018 19:00:03 +0100 Subject: [PATCH 2/4] Update OVAL check for ensure_logrotate_activated Other parameters can be passed to logrotate besides the config file. And according to logrotate man page, there can be multiple configuration files, and the later ones override configuration done on earlier files. So we allow other parameters between logrotate command and config file, and ensure that /etc/logrotate.conf is the last file. --- shared/checks/oval/ensure_logrotate_activated.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml index 641e4516ae..9feb9b7fdc 100644 --- a/shared/checks/oval/ensure_logrotate_activated.xml +++ b/shared/checks/oval/ensure_logrotate_activated.xml @@ -65,7 +65,7 @@ /etc/cron.daily/logrotate - ^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$ + ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 From ef15dd31ede1b96aa9b04feece43cc8d6c609ab8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 12 Mar 2018 19:51:54 +0100 Subject: [PATCH 3/4] Add remediation for ensure_logrotate_activate --- shared/fixes/bash/ensure_logrotate_activated.sh | 7 +++++++ .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 1 - .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 1 - 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 shared/fixes/bash/ensure_logrotate_activated.sh diff --git a/shared/fixes/bash/ensure_logrotate_activated.sh b/shared/fixes/bash/ensure_logrotate_activated.sh new file mode 100644 index 0000000000..2d22e0df8b --- /dev/null +++ b/shared/fixes/bash/ensure_logrotate_activated.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel + +# daily rotation is configured +grep -q "^daily$" /etc/logrotate.conf || echo "daily" >> /etc/logrotate.conf + +# remove any line configuring weekly, monthly or yearly rotation +sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh index 671da30c0b..8c93377e76 100644 --- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_pci-dss -# remediation = none sed -i "s/daily/weekly/" /etc/logrotate.conf rm /etc/cron.daily/logrotate diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh index 69c0ca7ee5..88679f329f 100644 --- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_pci-dss -# remediation = none sed -i "/^daily/d" /etc/logrotate.conf rm /etc/cron.daily/logrotate From 44dc057232f17467597ed03416cd7417fde5430f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 13 Mar 2018 16:45:01 +0100 Subject: [PATCH 4/4] logrotate needs conf and crontab configured - Update OVAL definition to check for both logrotate.conf and cron.daily - Update remediation to add logrotate to cron.daily - Update test scenrios accordingly --- shared/checks/oval/ensure_logrotate_activated.xml | 2 +- shared/fixes/bash/ensure_logrotate_activated.sh | 13 +++++++++++-- .../logrotate_conf_weekly.fail.sh | 1 - ...aily_configured.pass.sh => logrotate_configured.pass.sh} | 4 ++-- ...f_configured.pass.sh => logrotate_no_cron_daily.fail.sh} | 0 5 files changed, 14 insertions(+), 6 deletions(-) rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{cron_daily_configured.pass.sh => logrotate_configured.pass.sh} (56%) rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{logrotate_conf_configured.pass.sh => logrotate_no_cron_daily.fail.sh} (100%) diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml index 9feb9b7fdc..a34caaab5c 100644 --- a/shared/checks/oval/ensure_logrotate_activated.xml +++ b/shared/checks/oval/ensure_logrotate_activated.xml @@ -11,7 +11,7 @@ The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily - + > /etc/logrotate.conf +grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE # remove any line configuring weekly, monthly or yearly rotation -sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf +sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE + +# configure cron.daily if not already +if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then + echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE + echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE +fi diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh index 8c93377e76..30d1e29008 100644 --- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh @@ -2,4 +2,3 @@ # profiles = xccdf_org.ssgproject.content_profile_pci-dss sed -i "s/daily/weekly/" /etc/logrotate.conf -rm /etc/cron.daily/logrotate diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh similarity index 56% rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh index 2debba3186..170b8e9ed8 100644 --- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh +++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_pci-dss -# make sure config in logrotate conf is misconfigured -sed -i "s/daily/weekly/" /etc/logrotate.conf +# fix logrotate config +sed -i "s/weekly/daily/" /etc/logrotate.conf # default for cron.daily for RHEL7 is already correct diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh similarity index 100% rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh From 9b32280bb07c28281f7bd97663e783e1846d4dc9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 13 Mar 2018 19:54:13 +0100 Subject: [PATCH 1/8] Add test scenarios for audit_rules_login_events - default fail - no rules at all - default pass - default watch rules for tallylog, faillock and lastlog --- .../rule_audit_rules_login_events/default.fail.sh | 7 +++++++ .../rule_audit_rules_login_events/default.pass.sh | 9 +++++++++ 2 files changed, 16 insertions(+) create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh new file mode 100644 index 0000000000..ab4dc70c93 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh new file mode 100644 index 0000000000..4f81075d4b --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules +echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules +echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules + +cat /etc/audit/rules.d/logins.rules From 3743d6b1fdc6cfd7b2cdb2d4d934e47d9c456441 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 13 Mar 2018 20:16:20 +0100 Subject: [PATCH 2/8] Add test scenarios for auditd_data_retention_space_left_action - action_email - configures action to email - action_not_there - removes any configuration of space_left_action --- .../action_email.pass.sh | 5 +++++ .../action_not_there.fail.sh | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh new file mode 100644 index 0000000000..e340fef316 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa +# remediation = bash + +sed -i "s/^space_left_action = .*$/space_left_action = email/" /etc/audit/auditd.conf diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh new file mode 100644 index 0000000000..13707b20da --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa +# remediation = bash + +sed -i "/^space_left_action = /d" /etc/audit/auditd.conf From 580f2d489741e293ceeb4e3863298351d0ac5c29 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 14 Mar 2018 15:47:28 +0100 Subject: [PATCH 3/8] Add test scenarios for audit_data_retention_space_left - space_left pass - auditd.conf configured with enough space - space_left_not_enough fail - auditd.conf configured with low space - space_left_not_there fail - auditd.conf without space_left parameter --- .../rule_auditd_data_retention_space_left/space_left.pass.sh | 9 +++++++++ .../space_left_not_enough.fail.sh | 5 +++++ .../space_left_not_there.fail.sh | 5 +++++ 3 files changed, 19 insertions(+) create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh new file mode 100644 index 0000000000..2e24c0ab86 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa +# remediation = bash + +if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then + sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf +else + echo "space_left = 100" >> /etc/audit/auditd.conf +fi diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh new file mode 100644 index 0000000000..637d9a0b3f --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa +# remediation = bash + +sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh new file mode 100644 index 0000000000..71d459fdec --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa +# remediation = bash + +sed -i "/^space_left = /d" /etc/audit/auditd.conf From 269ab3e0422b97e6c3593850e4fe93020436047b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 14 Mar 2018 16:30:20 +0100 Subject: [PATCH 4/8] Fix append scenario in remediation for audit_data_retention_space_left Remediation for auditd_data_retention_space_left could not add configuration line when it was missing. grep command would return 0, sed command would not find the configuration line to replace and return 0. Subsequent if would consume $? equal 0 and not append config. Use of function replace_or_append is not easy here, [[:space:]] is not handled correctly. --- shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh index f4ae92b044..2ed771b2d2 100644 --- a/shared/fixes/bash/auditd_data_retention_space_left.sh +++ b/shared/fixes/bash/auditd_data_retention_space_left.sh @@ -2,7 +2,7 @@ . /usr/share/scap-security-guide/remediation_functions populate var_auditd_space_left -grep -q ^space_left /etc/audit/auditd.conf && \ +grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf From 3afa2f4dad4de2c3d98bf9f1bdf554778f6bc33a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 14 Mar 2018 18:49:36 +0100 Subject: [PATCH 5/8] Add test scenarios for audit_rules_privileged_commands - rules_configure pass - tests audit rules for default installation - own_key pass - tests audit rules with custom key - default fail - tests default installation without any configuration - removes all rules.d fail - tests remediation when rules.d is empty --- .../default.fail.sh | 5 ++++ .../own_key.rules | 30 ++++++++++++++++++++++ .../privileged.rules | 30 ++++++++++++++++++++++ .../remove_all_rules.d.fail.sh | 7 +++++ .../rules_configured.pass.sh | 5 ++++ .../rules_with_own_key.pass.sh | 5 ++++ 6 files changed, 82 insertions(+) create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh new file mode 100644 index 0000000000..96e9f70a89 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules new file mode 100644 index 0000000000..4df6d4ec8b --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules @@ -0,0 +1,30 @@ +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules new file mode 100644 index 0000000000..4eb644acbc --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules @@ -0,0 +1,30 @@ +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh new file mode 100644 index 0000000000..ab4dc70c93 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh new file mode 100644 index 0000000000..1aca5a0c00 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +cp privileged.rules /etc/audit/rules.d/ diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh new file mode 100644 index 0000000000..4fecb12817 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_pci-dss +# remediation = bash + +cp own_key.rules /etc/audit/rules.d/privileged.rules From b00609abc38092461e9ab034ed74476772c71761 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 14 Mar 2018 18:55:56 +0100 Subject: [PATCH 6/8] Enable function perform_audit_rules to handle empty rules directory When /etc/audit/rules.d was empty, the remediation function would not add any rule into output rules file. --- .../perform_audit_rules_privileged_commands_remediation.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh index 5fac50ef07..3f48afabe3 100644 --- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh @@ -78,6 +78,15 @@ do # presence of existing audit rule for new sbinary local count_of_inspected_files=0 + # Define expected rule form for this binary + expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" + + # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary + if [[ ${#files_to_inspect[@]} -eq 0 ]]; then + echo "$expected_rule" >> "$output_audit_file" + continue + fi + # For each audit rules file from the list of files to be inspected for afile in "${files_to_inspect[@]}" do @@ -96,9 +105,6 @@ do # Increase the count of inspected files for this sbinary count_of_inspected_files=$((count_of_inspected_files + 1)) - # Define expected rule form for this binary - expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" - # Require execute access type to be set for existing audit rule exec_access='x' @@ -155,6 +161,7 @@ do # Current audit rules file's content doesn't contain expected rule for this # SUID/SGID binary yet => append it echo $expected_rule >> $output_audit_file + continue fi done From bbdbd508e3c2d60100abe533f50929748f375a2d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 19 Mar 2018 18:20:05 +0100 Subject: [PATCH 7/8] Make regexes for space_left tests consistent --- shared/fixes/bash/auditd_data_retention_space_left.sh | 4 ++-- .../rule_auditd_data_retention_space_left/space_left.pass.sh | 5 +++-- .../space_left_not_enough.fail.sh | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh index 2ed771b2d2..3cd4306aa8 100644 --- a/shared/fixes/bash/auditd_data_retention_space_left.sh +++ b/shared/fixes/bash/auditd_data_retention_space_left.sh @@ -2,8 +2,8 @@ . /usr/share/scap-security-guide/remediation_functions populate var_auditd_space_left -grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf fi diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh index 2e24c0ab86..dde1f2be94 100644 --- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh @@ -2,8 +2,9 @@ # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa # remediation = bash -if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then - sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf +SPACE_LEFT_REGEX="^space_left[[:space:]]*=.*$" +if grep -q "$SPACE_LEFT_REGEX" /etc/audit/auditd.conf; then + sed -i "s/$SPACE_LEFT_REGEX/space_left = 100/" /etc/audit/auditd.conf else echo "space_left = 100" >> /etc/audit/auditd.conf fi diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh index 637d9a0b3f..0d1b1a3911 100644 --- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa # remediation = bash -sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf +sed -i "s/^space_left[[:space:]]*=.*$/space_left = 15/" /etc/audit/auditd.conf From 9f1569a0a572ae4ac2fa002c622cebbc23ff5a45 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 19 Mar 2018 18:22:24 +0100 Subject: [PATCH 8/8] Chain echo command with OR The remediation will sed or echo the config file. --- shared/fixes/bash/auditd_data_retention_space_left.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh index 3cd4306aa8..67ab813d48 100644 --- a/shared/fixes/bash/auditd_data_retention_space_left.sh +++ b/shared/fixes/bash/auditd_data_retention_space_left.sh @@ -3,7 +3,5 @@ populate var_auditd_space_left grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf -if ! [ $? -eq 0 ]; then - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf -fi + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf From 155b606d318d0995d094183e7278707c310172de Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 15 Mar 2018 17:23:00 +0100 Subject: [PATCH 1/7] Add tests for network_ipv6_disable_rpc - rpc_disabled pass - correct configuration in /etc/netconfig - default fail - default installation configuration --- .../rule_network_ipv6_disable_rpc/default.fail.sh | 7 +++++++ .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh new file mode 100644 index 0000000000..ff0a92e368 --- /dev/null +++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +# default config has rpc enabled +true diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh new file mode 100644 index 0000000000..0349191dfb --- /dev/null +++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig +sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig From ab07272905bfb111c7c10dae630e04019d1135b2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 15 Mar 2018 17:24:50 +0100 Subject: [PATCH 2/7] Add remediation for network_ipv6_disable_rpc This fix script was sourced from RHEL6 product. --- shared/fixes/bash/network_ipv6_disable_rpc.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 shared/fixes/bash/network_ipv6_disable_rpc.sh diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh new file mode 100644 index 0000000000..e4f738780d --- /dev/null +++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh @@ -0,0 +1,10 @@ +# platform = multi_platform_rhel + +# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC +# services for NFSv4 from attempting to start IPv6 network listeners +declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") + +for rpc_entry in ${IPV6_RPC_ENTRIES[@]} +do + sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig +done From f9677408a17154278b65ec9d0b4271b8399aa12a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 15 Mar 2018 19:17:15 +0100 Subject: [PATCH 3/7] Add tests for network_ipv6_privacy_extensions - default fail - remove IPV6_PRIVACY from any ifcfg file - ipv6_privacy_enabled pass - add IPV6_PRIVACY to all ifcfg files --- .../rule_network_ipv6_privacy_extensions/default.fail.sh | 5 +++++ .../ipv6_privacy_enabled.pass.sh | 8 ++++++++ 2 files changed, 13 insertions(+) create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh new file mode 100644 index 0000000000..4f6cbaca7f --- /dev/null +++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + +sed -i "/^IPV6_PRIVACY=rfc3041$/d" /etc/sysconfig/network-scripts/ifcfg-* diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh new file mode 100644 index 0000000000..90eb082745 --- /dev/null +++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + +for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) +do + echo "IPV6_PRIVACY=rfc3041" >> $file +done From cfccf1711de2ffa9b94019ee96ff63740967ee18 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 15 Mar 2018 19:18:53 +0100 Subject: [PATCH 4/7] Add remediation for network_ipv6_privacy_extensions - adding only bash remediation --- shared/fixes/bash/network_ipv6_privacy_extensions.sh | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 shared/fixes/bash/network_ipv6_privacy_extensions.sh diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh new file mode 100644 index 0000000000..b719fb471f --- /dev/null +++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel + +# enable randomness in ipv6 address generation +for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) +do + echo "IPV6_PRIVACY=rfc3041" >> $interface +done From c09b5a38d62c733260c1c29227ec3032ea26e9b1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 20 Mar 2018 16:52:12 +0100 Subject: [PATCH 5/7] Bash improvements for remdiation and tests --- shared/fixes/bash/network_ipv6_disable_rpc.sh | 3 +-- shared/fixes/bash/network_ipv6_privacy_extensions.sh | 2 +- .../rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh index e4f738780d..5246e14109 100644 --- a/shared/fixes/bash/network_ipv6_disable_rpc.sh +++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh @@ -2,9 +2,8 @@ # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners -declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") -for rpc_entry in ${IPV6_RPC_ENTRIES[@]} +for rpc_entry in "tcp6" "udp6" do sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig done diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh index b719fb471f..134bb3f1f9 100644 --- a/shared/fixes/bash/network_ipv6_privacy_extensions.sh +++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh @@ -1,7 +1,7 @@ # platform = multi_platform_rhel # enable randomness in ipv6 address generation -for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) +for interface in /etc/sysconfig/network-scripts/ifcfg-* do echo "IPV6_PRIVACY=rfc3041" >> $interface done diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh index 90eb082745..0982f003c8 100644 --- a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh +++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh @@ -2,7 +2,7 @@ # # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) +for interface in /etc/sysconfig/network-scripts/ifcfg-* do - echo "IPV6_PRIVACY=rfc3041" >> $file + echo "IPV6_PRIVACY=rfc3041" >> $interface done From 77890cd398db61a30f6e20add1067f77f5c0c283 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 20 Mar 2018 16:58:03 +0100 Subject: [PATCH 6/7] Remove escaped underscore No flavor of regular expression needs to escape underscores. --- shared/fixes/bash/network_ipv6_disable_rpc.sh | 2 +- .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh index 5246e14109..decd74e0cc 100644 --- a/shared/fixes/bash/network_ipv6_disable_rpc.sh +++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh @@ -5,5 +5,5 @@ for rpc_entry in "tcp6" "udp6" do - sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig + sed -i "/^$rpc_entry[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig done diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh index 0349191dfb..5ba5a77784 100644 --- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh @@ -3,5 +3,5 @@ # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 # remediation = bash -sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig -sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig +sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig +sed -i "/^udp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig From 09eeaa1bff9c6203a5dbab18ccec89cc3458c22f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 20 Mar 2018 17:27:19 +0100 Subject: [PATCH 7/7] Remove redundant profiles in tests for ipv6_disable_rpc --- .../group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh | 2 +- .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh index ff0a92e368..f834e3f726 100644 --- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh +++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 # remediation = bash # default config has rpc enabled diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh index 5ba5a77784..c4bdf0a7c6 100644 --- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 # remediation = bash sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig From 5f3ceba27b33c3f8c39ff15d894bb9c58fb1b9fa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 16 Mar 2018 17:38:07 +0100 Subject: [PATCH] Change id of rule that checks for IPV6 disabled The Rule is not following expected pattern. The sysctl in question is net.ipv6.conf.all.disable_ipv6, so exptected Rule id is syctl_net_ipv6_conf_all_disable_ipv6. This is causing template generated remediation to not be picked up by build system. The used pattern would be for sysctl with name kernel_ipv6_disabled, witch doesn't exist. --- rhel7/profiles/C2S.xml | 2 +- rhel7/profiles/ospp-rhel7.xml | 2 +- rhel7/profiles/rht-ccp.xml | 2 +- shared/xccdf/system/network/ipv6.xml | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rhel7/profiles/C2S.xml b/rhel7/profiles/C2S.xml index f1798271f9..39dcf9b192 100644 --- a/rhel7/profiles/C2S.xml +++ b/rhel7/profiles/C2S.xml @@ -341,7 +341,7 @@ baseline. + -