|
 |
fa25b6 |
From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001
|
|
|
fa25b6 |
From: Jan Lieskovsky <jlieskov@redhat.com>
|
|
|
fa25b6 |
Date: Fri, 24 Jul 2015 16:21:04 +0200
|
|
|
fa25b6 |
Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for
|
|
|
fa25b6 |
following rules: * audit_rules_time_adjtimex, *
|
|
|
fa25b6 |
audit_rules_time_settimeofday, and * audit_rules_time_stime
|
|
|
fa25b6 |
|
|
|
fa25b6 |
Testing report:
|
|
|
fa25b6 |
--------------
|
|
|
fa25b6 |
Verified manually on RHEL-7 host the changes are working fine (in both
|
|
|
fa25b6 |
scenarios, expected rule not at all present in audit.rules configuration,
|
|
|
fa25b6 |
or expected rule partially present in audit.rules configuration)
|
|
|
fa25b6 |
---
|
|
|
fa25b6 |
.../input/fixes/bash/audit_rules_time_adjtimex.sh | 32 ++++++++++++++++++++++
|
|
|
fa25b6 |
.../fixes/bash/audit_rules_time_settimeofday.sh | 32 ++++++++++++++++++++++
|
|
|
fa25b6 |
RHEL/7/input/fixes/bash/audit_rules_time_stime.sh | 32 ++++++++++++++++++++++
|
|
|
fa25b6 |
3 files changed, 96 insertions(+)
|
|
|
fa25b6 |
create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
|
|
|
fa25b6 |
create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
|
|
|
fa25b6 |
create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
|
|
|
fa25b6 |
|
|
|
fa25b6 |
diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
|
|
|
fa25b6 |
new file mode 100644
|
|
|
fa25b6 |
index 0000000..43fdfbb
|
|
|
fa25b6 |
--- /dev/null
|
|
|
fa25b6 |
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
|
|
|
fa25b6 |
@@ -0,0 +1,32 @@
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Include source function library.
|
|
|
fa25b6 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Perform the remediation for the syscall rule
|
|
|
fa25b6 |
+# Retrieve hardware architecture of the underlying system
|
|
|
fa25b6 |
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+for ARCH in "${RULE_ARCHS[@]}"
|
|
|
fa25b6 |
+do
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Create expected audit group and audit rule form for particular system call & architecture
|
|
|
fa25b6 |
+ if [ ${ARCH} = "b32" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
|
|
|
fa25b6 |
+ # so append it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\|stime\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
|
|
|
fa25b6 |
+ elif [ ${ARCH} = "b64" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
|
|
|
fa25b6 |
+ # therefore don't add it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
|
|
|
fa25b6 |
+ fi
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+done
|
|
|
fa25b6 |
diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
|
|
|
fa25b6 |
new file mode 100644
|
|
|
fa25b6 |
index 0000000..43fdfbb
|
|
|
fa25b6 |
--- /dev/null
|
|
|
fa25b6 |
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
|
|
|
fa25b6 |
@@ -0,0 +1,32 @@
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Include source function library.
|
|
|
fa25b6 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Perform the remediation for the syscall rule
|
|
|
fa25b6 |
+# Retrieve hardware architecture of the underlying system
|
|
|
fa25b6 |
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+for ARCH in "${RULE_ARCHS[@]}"
|
|
|
fa25b6 |
+do
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Create expected audit group and audit rule form for particular system call & architecture
|
|
|
fa25b6 |
+ if [ ${ARCH} = "b32" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
|
|
|
fa25b6 |
+ # so append it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\|stime\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
|
|
|
fa25b6 |
+ elif [ ${ARCH} = "b64" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
|
|
|
fa25b6 |
+ # therefore don't add it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
|
|
|
fa25b6 |
+ fi
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+done
|
|
|
fa25b6 |
diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
|
|
|
fa25b6 |
new file mode 100644
|
|
|
fa25b6 |
index 0000000..43fdfbb
|
|
|
fa25b6 |
--- /dev/null
|
|
|
fa25b6 |
+++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
|
|
|
fa25b6 |
@@ -0,0 +1,32 @@
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Include source function library.
|
|
|
fa25b6 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+# Perform the remediation for the syscall rule
|
|
|
fa25b6 |
+# Retrieve hardware architecture of the underlying system
|
|
|
fa25b6 |
+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+for ARCH in "${RULE_ARCHS[@]}"
|
|
|
fa25b6 |
+do
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Create expected audit group and audit rule form for particular system call & architecture
|
|
|
fa25b6 |
+ if [ ${ARCH} = "b32" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
|
|
|
fa25b6 |
+ # so append it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\|stime\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
|
|
|
fa25b6 |
+ elif [ ${ARCH} = "b64" ]
|
|
|
fa25b6 |
+ then
|
|
|
fa25b6 |
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
|
|
|
fa25b6 |
+ # therefore don't add it to the list of time group system calls to be audited
|
|
|
fa25b6 |
+ GROUP="\(adjtimex\|settimeofday\)"
|
|
|
fa25b6 |
+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
|
|
|
fa25b6 |
+ fi
|
|
|
fa25b6 |
+
|
|
|
fa25b6 |
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
fa25b6 |
+done
|