From d5533786f8d34442754cf60234877f4f9768fdae Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 16 Apr 2020 11:35:14 +0200

Subject: [PATCH 1/4] add ansible remediation

---

 .../audit_rules_immutable/ansible/shared.yml  | 45 +++++++++++++++++++

 1 file changed, 45 insertions(+)

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

new file mode 100644

index 0000000000..20266d394f

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

@@ -0,0 +1,45 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: add /etc/audit/audit.rules to the list of files to be searched

+  set_fact:

+    files_to_search:

+      - /etc/audit/audit.rules

+

+- name: Search /etc/audit/rules.d  for files containing the -e option

+  find:

+    paths: "/etc/audit/rules.d"

+    recurse: true

+    contains: "-e[\\s]+.*"

+    patterns: "*.rules"

+  register: find_immutable

+

+- name: add found files to the list of files to be searched

+  set_fact:

+    files_to_search: "{{ files_to_search + [item.path] }}"

+  with_items: "{{ find_immutable.files }}"

+  when: find_immutable.matched is defined and find_immutable.matched >= 1

+

+- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory

+  lineinfile:

+    path: "{{ item }}"

+    regexp: "-e[\\s]+.*"

+    state: absent

+  with_items: "{{ files_to_search }}"

+

+- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules

+  blockinfile:

+    path: "{{ item }}"

+    create: True

+    marker: ""

+    block: |+

+      # Set the audit.rules configuration immutable per security requirements

+      # Reboot is required to change audit rules once this setting is applied

+      

+      -e 2

+  with_items:

+    - /etc/audit/audit.rules

+    - /etc/audit/rules.d/immutable.rules

From 8f1c60ba4efd625c2df20a109710e0dbf423e44a Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 16 Apr 2020 11:35:37 +0200

Subject: [PATCH 2/4] add tests

---

 .../audit_rules_immutable/tests/auditctl_correct.pass.sh   | 6 ++++++

 .../audit_rules_immutable/tests/auditctl_missing.fail.sh   | 6 ++++++

 .../tests/auditctl_wrong_value.fail.sh                     | 7 +++++++

 .../audit_rules_immutable/tests/augen_correct.pass.sh      | 3 +++

 .../audit_rules_immutable/tests/augen_missing.fail.sh      | 3 +++

 .../audit_rules_immutable/tests/augen_wrong_value.fail.sh  | 4 ++++

 6 files changed, 29 insertions(+)

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh

 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh

new file mode 100644

index 0000000000..36478840c1

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+# use auditctl

+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

+

+echo "-e 2" > /etc/audit/audit.rules

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh

new file mode 100644

index 0000000000..733436ecaf

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+# use auditctl

+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

+

+echo "some value" > /etc/audit/audit.rules

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh

new file mode 100644

index 0000000000..e3369107dd

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+# use auditctl

+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

+

+echo "-e 1" > /etc/audit/audit.rules

+

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh

new file mode 100644

index 0000000000..fa5b7231df

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+echo "-e 2" > /etc/audit/rules.d/immutable.rules

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh

new file mode 100644

index 0000000000..0997495e4b

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+rm -rf /etc/audit/rules.d/*

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh

new file mode 100644

index 0000000000..a8c2d53830

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+rm -rf /etc/audit/rules.d/*

+echo "-e 1" > /etc/audit/rules.d/immutable.rules

From 2bba06ada88cb359a19288725232e79387931aee Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 4 May 2020 15:29:10 +0200

Subject: [PATCH 3/4] do not use explaining comment in ansible remediation

---

 .../audit_rules_immutable/ansible/shared.yml  | 58 ++++++++++---------

 1 file changed, 32 insertions(+), 26 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

index 20266d394f..4e1b2f9569 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

@@ -1,45 +1,51 @@

 # platform = multi_platform_all

-# reboot = false

+# reboot = true

 # strategy = restrict

 # complexity = low

 # disruption = low

-- name: add /etc/audit/audit.rules to the list of files to be searched

-  set_fact:

-    files_to_search:

-      - /etc/audit/audit.rules

+- name: Check if the file /etc/audit/audit.rules contains the -e option

+  find:

+    paths: "/etc/audit"

+    contains: '^\s*-e\s+.*$'

+    patterns: "audit.rules"

+  register: find_immutable_audit_rules

 - name: Search /etc/audit/rules.d  for files containing the -e option

   find:

     paths: "/etc/audit/rules.d"

-    recurse: true

-    contains: "-e[\\s]+.*"

+    contains: '^\s*-e\s+.*$'

     patterns: "*.rules"

-  register: find_immutable

+  register: find_immutable_rules_d

-- name: add found files to the list of files to be searched

-  set_fact:

-    files_to_search: "{{ files_to_search + [item.path] }}"

-  with_items: "{{ find_immutable.files }}"

-  when: find_immutable.matched is defined and find_immutable.matched >= 1

+- name: Construct list of Audit config files containing the -e option

+  block:

+    - name: Initialize empty list for files to be edited

+      set_fact:

+        files_to_edit: []

+    - name: Add matched files from /etc/audit/rules.d

+      set_fact:

+        files_to_edit: "{{ files_to_edit + [item.path] }}"

+      loop: "{{ find_immutable_rules_d.files }}"

+    - name: Add /etc/audit/audit.rules to the list of files

+      set_fact:

+        files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}"

+      when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1

+  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)

-- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory

+- name: Remove the -e option from all Audit config files

   lineinfile:

     path: "{{ item }}"

     regexp: "-e[\\s]+.*"

     state: absent

-  with_items: "{{ files_to_search }}"

+  loop: "{{ files_to_edit }}"

+  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)

-- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules

-  blockinfile:

+- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules

+  lineinfile:

     path: "{{ item }}"

     create: True

-    marker: ""

-    block: |+

-      # Set the audit.rules configuration immutable per security requirements

-      # Reboot is required to change audit rules once this setting is applied

-      

-      -e 2

-  with_items:

-    - /etc/audit/audit.rules

-    - /etc/audit/rules.d/immutable.rules

+    line: "-e 2"

+  loop:

+    - "/etc/audit/audit.rules"

+    - "/etc/audit/rules.d/immutable.rules"

From dbf87484436e142a771ebd22a1bada61a429cceb Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 5 May 2020 14:44:24 +0200

Subject: [PATCH 4/4] simplify remediation

---

 .../audit_rules_immutable/ansible/shared.yml  | 34 +++----------------

 1 file changed, 5 insertions(+), 29 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

index 4e1b2f9569..5ac7b3dabb 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

@@ -4,42 +4,18 @@

 # complexity = low

 # disruption = low

-- name: Check if the file /etc/audit/audit.rules contains the -e option

+- name: Collect all files from /etc/audit/rules.d with .rules extension

   find:

-    paths: "/etc/audit"

-    contains: '^\s*-e\s+.*$'

-    patterns: "audit.rules"

-  register: find_immutable_audit_rules

-

-- name: Search /etc/audit/rules.d  for files containing the -e option

-  find:

-    paths: "/etc/audit/rules.d"

-    contains: '^\s*-e\s+.*$'

+    paths: "/etc/audit/rules.d/"

     patterns: "*.rules"

-  register: find_immutable_rules_d

-

-- name: Construct list of Audit config files containing the -e option

-  block:

-    - name: Initialize empty list for files to be edited

-      set_fact:

-        files_to_edit: []

-    - name: Add matched files from /etc/audit/rules.d

-      set_fact:

-        files_to_edit: "{{ files_to_edit + [item.path] }}"

-      loop: "{{ find_immutable_rules_d.files }}"

-    - name: Add /etc/audit/audit.rules to the list of files

-      set_fact:

-        files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}"

-      when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1

-  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)

+  register: find_rules_d

 - name: Remove the -e option from all Audit config files

   lineinfile:

     path: "{{ item }}"

-    regexp: "-e[\\s]+.*"

+    regexp: '^\s*(?:-e)\s+.*$'

     state: absent

-  loop: "{{ files_to_edit }}"

-  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)

+  loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"

 - name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules

   lineinfile: