From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky Date: Fri, 24 Jul 2015 16:21:04 +0200 Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for following rules: * audit_rules_time_adjtimex, * audit_rules_time_settimeofday, and * audit_rules_time_stime Testing report: -------------- Verified manually on RHEL-7 host the changes are working fine (in both scenarios, expected rule not at all present in audit.rules configuration, or expected rule partially present in audit.rules configuration) --- .../input/fixes/bash/audit_rules_time_adjtimex.sh | 32 ++++++++++++++++++++++ .../fixes/bash/audit_rules_time_settimeofday.sh | 32 ++++++++++++++++++++++ RHEL/7/input/fixes/bash/audit_rules_time_stime.sh | 32 ++++++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh new file mode 100644 index 0000000..43fdfbb --- /dev/null +++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh @@ -0,0 +1,32 @@ + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# Perform the remediation for the syscall rule +# Retrieve hardware architecture of the underlying system +[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + + PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" + + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\|stime\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" + elif [ ${ARCH} = "b64" ] + then + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" + fi + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh new file mode 100644 index 0000000..43fdfbb --- /dev/null +++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh @@ -0,0 +1,32 @@ + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# Perform the remediation for the syscall rule +# Retrieve hardware architecture of the underlying system +[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + + PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" + + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\|stime\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" + elif [ ${ARCH} = "b64" ] + then + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" + fi + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh new file mode 100644 index 0000000..43fdfbb --- /dev/null +++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh @@ -0,0 +1,32 @@ + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# Perform the remediation for the syscall rule +# Retrieve hardware architecture of the underlying system +[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + + PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" + + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\|stime\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" + elif [ ${ARCH} = "b64" ] + then + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" + fi + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done