From 2f4ddb4297f2a14e2bde3b32f76347e2bbe2cb2d Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Thu, 19 Aug 2021 09:47:42 -0500

Subject: [PATCH] Add new rule for RHEL-07-030330 and RHEL-08-030730

This new rule is copy of auditd_data_retention_space_left, but

setup to allow for percentages.

---

 .../auditd_data_retention_space_left/rule.yml |  2 -

 .../ansible/shared.yml                        | 15 ++++++

 .../bash/shared.sh                            |  7 +++

 .../oval/shared.xml                           | 32 +++++++++++++

 .../rule.yml                                  | 47 +++++++++++++++++++

 .../tests/no_percent_sign.fail.sh             |  6 +++

 .../space_left_greater_than_minimum.pass.sh   |  6 +++

 .../tests/space_left_minimum_value.pass.sh    |  6 +++

 .../tests/space_left_not_enough.fail.sh       |  6 +++

 .../tests/space_left_not_there.fail.sh        |  6 +++

 .../var_auditd_space_left_percentage.var      | 15 ++++++

 products/rhel7/profiles/stig.profile          |  3 +-

 products/rhel8/profiles/stig.profile          |  7 +--

 shared/references/cce-redhat-avail.txt        |  2 -

 .../data/profile_stability/rhel8/stig.profile |  3 +-

 .../profile_stability/rhel8/stig_gui.profile  |  3 +-

 16 files changed, 156 insertions(+), 10 deletions(-)

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh

 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml

index 7fd0470df8..a652d15d0d 100644

--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml

@@ -39,8 +39,6 @@ references:

     pcidss: Req-10.7

     srg: SRG-OS-000343-GPOS-00134

     stigid@ol7: OL07-00-030330

-    stigid@rhel7: RHEL-07-030330

-    stigid@rhel8: RHEL-08-030730

     stigid@sle12: SLES-12-020030

     stigid@sle15: SLES-15-030700

     stigid@ubuntu2004: UBTU-20-010217

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml

new file mode 100644

index 0000000000..ea52773bd3

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml

@@ -0,0 +1,15 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("var_auditd_space_left_percentage") }}}

+

+- name: Configure auditd space_left on Low Disk Space

+  lineinfile:

+    dest: /etc/audit/auditd.conf

+    line: "space_left = {{ var_auditd_space_left_percentage }}%"

+    regexp: '^\s*space_left\s*=\s*.*$'

+    state: present

+    create: yes

+  #notify: reload auditd

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh

new file mode 100644

index 0000000000..6cc3e9ecbe

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh

@@ -0,0 +1,7 @@

+# platform = multi_platform_all

+. /usr/share/scap-security-guide/remediation_functions

+{{{ bash_instantiate_variables("var_auditd_space_left_percentage") }}}

+

+grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \

+  sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \

+  echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml

new file mode 100644

index 0000000000..2fcd222d29

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml

@@ -0,0 +1,32 @@

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="2">

+    {{{ oval_metadata("space_left setting in /etc/audit/auditd.conf is set to at least a certain value") }}}

+

+    <criteria>

+        <criterion comment="space_left setting in auditd.conf" test_ref="test_auditd_data_retention_space_left_percentage" />

+    </criteria>

+

+  </definition>

+

+  <ind:textfilecontent54_test check="all" comment="admin space left action " id="test_auditd_data_retention_space_left_percentage" version="1">

+    <ind:object object_ref="object_auditd_data_retention_space_left_percentage" />

+    <ind:state state_ref="state_auditd_data_retention_space_left_percentage" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="object_auditd_data_retention_space_left_percentage" version="2">

+    <ind:filepath>/etc/audit/auditd.conf</ind:filepath>

+    

+    

+    <ind:pattern operation="pattern match">^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+

+  <ind:textfilecontent54_state id="state_auditd_data_retention_space_left_percentage" version="1">

+    <ind:subexpression operation="greater than or equal" var_ref="var_auditd_space_left_percentage" datatype="int" />

+  </ind:textfilecontent54_state>

+

+  <external_variable comment="audit space_left setting" datatype="int" id="var_auditd_space_left_percentage" version="1" />

+

+

+</def-group>

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml

new file mode 100644

index 0000000000..ea9d9fcc6b

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml

@@ -0,0 +1,47 @@

+documentation_complete: true

+

+prodtype:  fedora,rhel7,rhel8,rhel9

+

+title: 'Configure auditd space_left on Low Disk Space'

+

+description: |-

+    The <tt>auditd</tt> service can be configured to take an action

+    when disk space is running low but prior to running out of space completely.

+    Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,

+    substituting PERCENTAGE appropriately:

+    
space_left = PERCENTAGE%

+    Set this value to at least 25 to cause the system to

+    notify the user of an issue.

+

+rationale: |-

+    Notifying administrators of an impending disk space problem may allow them to

+    take corrective action prior to any disruption.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-86056-9

+    cce@rhel8: CCE-86055-1

+

+references:

+    cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8

+    cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01

+    disa: CCI-001855

+    isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4

+    isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2'

+    iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1

+    nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)

+    nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4

+    pcidss: Req-10.7

+    srg: SRG-OS-000343-GPOS-00134

+    stigid@rhel7: RHEL-07-030330

+    stigid@rhel8: RHEL-08-030730

+    vmmsrg: SRG-OS-000343-VMM-001240

+

+ocil_clause: 'the system is not configured with a specific percentage to notify administrators of an issue'

+

+ocil: |-

+    Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to

+    determine if the system is configured correctly:

+    
space_left PERCENTAGE%

+

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh

new file mode 100644

index 0000000000..2e90ce1d7b

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# variables = var_auditd_space_left_percentage=25

+

+. $SHARED/auditd_utils.sh

+prepare_auditd_test_enviroment

+set_parameters_value /etc/audit/auditd.conf "space_left" "25"

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh

new file mode 100644

index 0000000000..135d6e4258

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# variables = var_auditd_space_left_percentage=25

+

+. $SHARED/auditd_utils.sh

+prepare_auditd_test_enviroment

+set_parameters_value /etc/audit/auditd.conf "space_left" "35%"

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh

new file mode 100644

index 0000000000..10d652e80e

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# variables = var_auditd_space_left_percentage=25

+

+. $SHARED/auditd_utils.sh

+prepare_auditd_test_enviroment

+set_parameters_value /etc/audit/auditd.conf "space_left" "25%"

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh

new file mode 100644

index 0000000000..0bf7694b15

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# variables = var_auditd_space_left_percentage=25

+

+. $SHARED/auditd_utils.sh

+prepare_auditd_test_enviroment

+set_parameters_value /etc/audit/auditd.conf "space_left" "15%"

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh

new file mode 100644

index 0000000000..34ac5595c6

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# variables = var_auditd_space_left_percentage=25

+

+. $SHARED/auditd_utils.sh

+prepare_auditd_test_enviroment

+delete_parameter /etc/audit/auditd.conf "space_left"

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var

new file mode 100644

index 0000000000..427a1d4bfa

--- /dev/null

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var

@@ -0,0 +1,15 @@

+documentation_complete: true

+

+title: 'The percentage remaining in disk space before prompting space_left_action'

+

+description: 'The setting for space_left as a percentage in /etc/audit/auditd.conf'

+

+type: number

+

+interactive: true

+

+options:

+    25pc: 25

+    50pc: 50

+    75pc: 75

+    default: 25

diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile

index 9ca1360005..67e22982cd 100644

--- a/products/rhel7/profiles/stig.profile

+++ b/products/rhel7/profiles/stig.profile

@@ -50,6 +50,7 @@ selections:

     - var_removable_partition=dev_cdrom

     - var_auditd_action_mail_acct=root

     - var_auditd_space_left_action=email

+    - var_auditd_space_left_percentage=25pc

     - var_accounts_user_umask=077

     - var_password_pam_retry=3

     - var_accounts_max_concurrent_login_sessions=10

@@ -178,8 +179,8 @@ selections:

     - auditd_audispd_configure_remote_server

     - auditd_audispd_encrypt_sent_records

     - auditd_audispd_disk_full_action

-    - auditd_data_retention_space_left

     - auditd_data_retention_space_left_action

+    - auditd_data_retention_space_left_percentage

     - auditd_data_retention_action_mail_acct

     - audit_rules_suid_privilege_function

     - audit_rules_dac_modification_chown

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 36f384621a..10dbc1501b 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -65,7 +65,7 @@ selections:

     - var_auditd_action_mail_acct=root

     - var_time_service_set_maxpoll=18_hours

     - var_accounts_maximum_age_login_defs=60

-    - var_auditd_space_left=250MB

+    - var_auditd_space_left_percentage=25pc

     - var_auditd_space_left_action=email

     - var_auditd_disk_error_action=halt

     - var_auditd_max_log_file_action=syslog

@@ -922,8 +922,9 @@ selections:

     - rsyslog_encrypt_offload_actionsendstreamdriverauthmode

     # RHEL-08-030730

-    # this rule expects configuration in MB instead percentage as how STIG demands

-    # - auditd_data_retention_space_left

+    - auditd_data_retention_space_left_percentage

+

+    # RHEL-08-030731

     - auditd_data_retention_space_left_action

     # RHEL-08-030740

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 6c33c2e85f..fcb8125ca4 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -170,8 +170,6 @@ CCE-86051-0

 CCE-86052-8

 CCE-86053-6

 CCE-86054-4

-CCE-86055-1

-CCE-86056-9

 CCE-86057-7

 CCE-86058-5

 CCE-86059-3

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index f3e6c4fa1a..09a5bc3174 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -140,6 +140,7 @@ selections:

 - auditd_data_retention_action_mail_acct

 - auditd_data_retention_max_log_file_action

 - auditd_data_retention_space_left_action

+- auditd_data_retention_space_left_percentage

 - auditd_local_events

 - auditd_log_format

 - auditd_name_format

@@ -422,7 +423,7 @@ selections:

 - var_auditd_action_mail_acct=root

 - var_time_service_set_maxpoll=18_hours

 - var_accounts_maximum_age_login_defs=60

-- var_auditd_space_left=250MB

+- var_auditd_space_left_percentage=25pc

 - var_auditd_space_left_action=email

 - var_auditd_disk_error_action=halt

 - var_auditd_max_log_file_action=syslog

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index b5b60349a8..5b631a3fe0 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -151,6 +151,7 @@ selections:

 - auditd_data_retention_action_mail_acct

 - auditd_data_retention_max_log_file_action

 - auditd_data_retention_space_left_action

+- auditd_data_retention_space_left_percentage

 - auditd_local_events

 - auditd_log_format

 - auditd_name_format

@@ -432,7 +433,7 @@ selections:

 - var_auditd_action_mail_acct=root

 - var_time_service_set_maxpoll=18_hours

 - var_accounts_maximum_age_login_defs=60

-- var_auditd_space_left=250MB

+- var_auditd_space_left_percentage=25pc

 - var_auditd_space_left_action=email

 - var_auditd_disk_error_action=halt

 - var_auditd_max_log_file_action=syslog