From dd25ef669719bffe40f3024dbc949e421779f106 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 9 Dec 2019 16:25:50 +0100

Subject: [PATCH] Split audit rules for OSPP

---

 docs/manual/developer_guide.adoc              |   7 +

 .../policy_rules/audit_access_failed/rule.yml |  53 +++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_access_success/rule.yml             |  58 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_basic_configuration/rule.yml        |  66 +++++++++

 .../tests/correct_rules.pass.sh               |   3 +

 .../tests/file_missing.fail.sh                |   3 +

 .../tests/file_not_identical.fail.sh          |   4 +

 .../policy_rules/audit_create_failed/rule.yml |  66 +++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_create_success/rule.yml             |  59 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../policy_rules/audit_delete_failed/rule.yml |  58 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_delete_success/rule.yml             |  57 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../tests/failed_delete_rules.fail.sh         |   1 +

 .../tests/no_rule.fail.sh                     |   1 +

 .../audit_immutable_login_uids/rule.yml       |  54 +++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../policy_rules/audit_modify_failed/rule.yml |  66 +++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_modify_success/rule.yml             |  61 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../policy_rules/audit_module_load/rule.yml   |  58 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../policy_rules/audit_ospp_general/rule.yml  | 138 ++++++++++++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_owner_change_failed/rule.yml        |  59 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_owner_change_success/rule.yml       |  60 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_perm_change_failed/rule.yml         |  58 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_perm_change_success/rule.yml        |  57 ++++++++

 .../tests/correct_rules.pass.sh               |   1 +

 .../audit_rules_for_ospp/oval/shared.xml      |   8 +-

 rhel8/profiles/ospp.profile                   |  17 ++-

 shared/macros-ansible.jinja                   |  15 ++

 shared/macros-bash.jinja                      |  11 ++

 shared/macros-oval.jinja                      |  41 ++++++

 shared/references/cce-redhat-avail.txt        |  11 --

 .../template_ANSIBLE_audit_file_contents      |  11 ++

 .../template_BASH_audit_file_contents         |  14 ++

 .../template_OVAL_audit_file_contents         |   7 +

 ssg/templates.py                              |  20 +++

 tests/shared/audit/10-base-config.rules       |  13 ++

 tests/shared/audit/11-loginuid.rules          |   3 +

 .../audit/30-ospp-v42-1-create-failed.rules   |  13 ++

 .../audit/30-ospp-v42-1-create-success.rules  |   7 +

 .../audit/30-ospp-v42-2-modify-failed.rules   |  13 ++

 .../audit/30-ospp-v42-2-modify-success.rules  |   7 +

 .../audit/30-ospp-v42-3-access-failed.rules   |   5 +

 .../audit/30-ospp-v42-3-access-success.rules  |   4 +

 .../audit/30-ospp-v42-4-delete-failed.rules   |   5 +

 .../audit/30-ospp-v42-4-delete-success.rules  |   3 +

 .../30-ospp-v42-5-perm-change-failed.rules    |   5 +

 .../30-ospp-v42-5-perm-change-success.rules   |   3 +

 .../30-ospp-v42-6-owner-change-failed.rules   |   5 +

 .../30-ospp-v42-6-owner-change-success.rules  |   3 +

 tests/shared/audit/30-ospp-v42.rules          |  80 ++++++++++

 tests/shared/audit/43-module-load.rules       |   6 +

 63 files changed, 1376 insertions(+), 16 deletions(-)

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml

 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh

 create mode 100644 shared/templates/template_ANSIBLE_audit_file_contents

 create mode 100644 shared/templates/template_BASH_audit_file_contents

 create mode 100644 shared/templates/template_OVAL_audit_file_contents

 create mode 100644 tests/shared/audit/10-base-config.rules

 create mode 100644 tests/shared/audit/11-loginuid.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-1-create-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-1-create-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-3-access-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-3-access-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules

 create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-success.rules

 create mode 100644 tests/shared/audit/30-ospp-v42.rules

 create mode 100644 tests/shared/audit/43-module-load.rules

diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc

index 4cccea23d..76c1c1021 100644

--- a/docs/manual/developer_guide.adoc

+++ b/docs/manual/developer_guide.adoc

@@ -1449,6 +1449,13 @@ audit_rules_privileged_commands::

 ** *path* - the path of the privileged command - eg. `/usr/bin/mount`

 * Languages: Ansible, Bash, OVAL

+audit_file_contents::

+* Ensure that audit `.rules` file specified by parameter `filepath` contains the contents specified in parameter `contents`.

+* Parameters:

+** *filepath* - path to audit rules file, e.g.: `/etc/audit/rules.d/10-base-config.rules`

+** *contents* - expected contents of the file

+* Languages: Ansible, Bash, OVAL

+

 audit_rules_unsuccessful_file_modification::

 * Ensure there is an Audit rule to record unsuccessful attempts to access files

 * Parameters:

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml

new file mode 100644

index 000000000..6172751f1

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml

@@ -0,0 +1,53 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of unsuccessful file accesses'

+

+{{% set file_contents_audit_access_failed =

+"## Unsuccessful file access (any other opens) This has to go last.

+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access

+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access

+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access

+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access

+" %}}

+

+description: |-

+    Ensure that unsuccessful attempts to access a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_access_failed|indent }}}    
    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

+

+

+rationale: |-

+    Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82833-5

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_access_failed|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules

+        contents: |+

+            {{{ file_contents_audit_access_failed|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..ce7c7a0dd

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-3-access-failed.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml

new file mode 100644

index 000000000..8d0625a1d

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml

@@ -0,0 +1,58 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of successful file accesses'

+

+{{% set file_contents_audit_access_success =

+"## Successful file access (any other opens) This has to go last.

+## These next two are likely to result in a whole lot of events

+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access

+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access

+" %}}

+

+description: |-

+    Ensure that successful attempts to access a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_access_success|indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

+    

+

+rationale: |-

+    Auditing of successful attempts to access a file helps in investigation of activities performed on the system. 

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82834-3

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_access_success|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules

+        contents: |+

+            {{{ file_contents_audit_access_success|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..7092f2c47

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml

new file mode 100644

index 000000000..24cac20a2

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml

@@ -0,0 +1,66 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure basic parameters of Audit system'

+

+{{% set file_contents_audit_base_config =

+"## First rule - delete all

+-D

+

+## Increase the buffers to survive stress events.

+## Make this bigger for busy systems

+-b 8192

+

+## This determine how long to wait in burst of events

+--backlog_wait_time 60000

+

+## Set failure mode to syslog

+-f 1

+

+" %}}

+

+description: |-

+    Perform basic configuration of Audit system.

+    Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_base_config|indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/10-base-config.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+

+rationale: |-

+    Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82827-7

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/10-base-config.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_base_config|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/10-base-config.rules

+        contents: |+

+            {{{ file_contents_audit_base_config|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..2335ce458

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh

@@ -0,0 +1,3 @@

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+cp $SHARED/audit/10-base-config.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh

new file mode 100644

index 000000000..aa506a736

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh

@@ -0,0 +1,3 @@

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+rm -f /etc/audit/rules.d/10-base-config.rules

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh

new file mode 100644

index 000000000..4e7ce04c5

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh

@@ -0,0 +1,4 @@

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/

+echo "some additional text" >> /etc/audit/rules.d/10-base-config.rules

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml

new file mode 100644

index 000000000..7cd677661

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml

@@ -0,0 +1,66 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of unsuccessful file creations'

+

+{{% set file_contents_audit_create_failed =

+"## Unsuccessful file creation (open with O_CREAT)

+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

+" %}}

+

+description: |-

+    Ensure that unsuccessful attempts to create a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_create_failed|indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

+

+rationale: |-

+    Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82374-0

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_create_failed|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules

+        contents: |+

+            {{{ file_contents_audit_create_failed|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..9a7fe431a

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml

new file mode 100644

index 000000000..4c933ec50

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml

@@ -0,0 +1,59 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of successful file creations'

+

+{{% set file_contents_audit_create_success =

+"## Successful file creation (open with O_CREAT)

+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

+" %}}

+

+description: |-

+    Ensure that successful attempts to create a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_create_success |indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+

+rationale: |-

+    Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82829-3

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_create_success|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules

+        contents: |+

+            {{{ file_contents_audit_create_success|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..dcc4afe73

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml

new file mode 100644

index 000000000..b9084f217

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml

@@ -0,0 +1,58 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of unsuccessful file deletions'

+

+{{% set file_contents_audit_delete_failed =

+"## Unsuccessful file delete

+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

+" %}}

+

+description: |-

+    Ensure that unsuccessful attempts to delete a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_delete_failed|indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

+

+rationale: |-

+    Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. 

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82835-0

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_delete_failed|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules

+        contents: |+

+            {{{ file_contents_audit_delete_failed|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..9ae890203

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml

new file mode 100644

index 000000000..7d445d751

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml

@@ -0,0 +1,57 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure auditing of successful file deletions'

+

+{{% set file_contents_audit_delete_success =

+"## Successful file delete

+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete

+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete

+" %}}

+

+description: |-

+    Ensure that successful attempts to delete a file are audited.

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_delete_success|indent }}}    

+

+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/

+    

+    

+    Load new Audit rules into kernel by running:

+    
augenrules --load

+    

+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

+    

+

+rationale: |-

+    Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82836-8

+

+references:

+    ospp: FAU_GEN.1.1.c

+    nist: AU-2(a)

+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211

+

+ocil_clause: 'the file does not exist or the content differs'

+

+ocil: |-

+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:

+    
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules

+    The output has to be exactly as follows:

+    
{{{ file_contents_audit_delete_success|indent }}}    

+

+template:

+    name: audit_file_contents

+    vars:

+        filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules

+        contents: |+

+            {{{ file_contents_audit_delete_success|indent(12) }}}

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh

new file mode 100644

index 000000000..0a348baf6

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh

new file mode 100644

index 000000000..9ae890203

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh

@@ -0,0 +1 @@

+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh

new file mode 100644

index 000000000..3acb94ab6

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh

@@ -0,0 +1 @@

+rm -f /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules.

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml

new file mode 100644

index 000000000..eb87848e8

--- /dev/null

+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml

@@ -0,0 +1,54 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure immutable Audit login UIDs'

+

+{{% set file_contents_audit_immutable_login =

+"## Make the loginuid immutable. This prevents tampering with the auid.

+--loginuid-immutable

+

+" %}}

+

+description: |-

+    Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users.   

+

+    The following rules configure audit as described above:

+    
{{{ file_contents_audit_immutable_login|indent }}}    

+

+    The <tt>Audit</tt> provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/11-loginuid.rules</tt>.

+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:

+    

+    cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/

+