From 54a0e7e0c0d00eacf21f68492517db8968d4e0b2 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 Aug 2021 15:01:45 +0200

Subject: [PATCH 01/31] Change fix_audit_syscall_rule to group syscalls

The function actually separated the syscalls into individual lines.

* Improve and extend rule skeleton matching with more explicit rule

  options for action, arch, auid and other filters.

* Make explicit the syscalls that can be grouped through the

  'syscall_groupings' parameter.

* Make they key to use more explicit, instead of implicit through

  'group'.

---

 .../fix_audit_syscall_rule.sh                 | 218 ++++++++----------

 .../bash.template                             |  26 ++-

 .../audit_rules_dac_modification/template.py  |   4 +

 .../bash.template                             |  13 +-

 .../template.py                               |  14 ++

 .../audit_rules_path_syscall/bash.template    |  13 +-

 .../audit_rules_path_syscall/template.py      |   4 +

 .../bash.template                             |  17 +-

 .../template.py                               |   4 +

 .../bash.template                             |  25 +-

 .../template.py                               |  14 ++

 11 files changed, 195 insertions(+), 157 deletions(-)

 create mode 100644 shared/templates/audit_rules_file_deletion_events/template.py

 create mode 100644 shared/templates/audit_rules_unsuccessful_file_modification/template.py

diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh

index 4e16af2fb71..6bf5ac15436 100644

--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh

+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh

@@ -10,40 +10,48 @@

 #

 # for further details.

 #

-# Expects five arguments (each of them is required) in the form of:

+# Expects seven arguments (each of them is required) in the form of:

 # * audit tool				tool used to load audit rules,

 # 					either 'auditctl', or 'augenrules

-# * audit rules' pattern		audit rule skeleton for same syscall

-# * syscall group			greatest common string this rule shares

-# 					with other rules from the same group

-# * architecture			architecture this rule is intended for

-# * full form of new rule to add	expected full form of audit rule as to be

-# 					added into audit.rules file

+# * action_arch_filters		The action and arch filters of the rule

+#					For example, "-a always,exit -F arch=b64"

+# * other_filters			Other filters that may characterize the rule:

+#					For example, "-F a2&03 -F path=/etc/passwd"

+# * auid_filters			The auid filters of the rule

+#					For example, "-F auid>=1000 -F auid!=unset"

+# * syscall					The syscall to ensure presense among audit rules

+#					For example, "chown"

+# * syscall_groupings		Other syscalls that can be grouped with 'syscall'

+#					as a space separated list.

+#					For example, "fchown lchown fchownat"

+# * key						The key to use when appending a new rule

 #

-# Note: The 2-th up to 4-th arguments are used to determine how many existing

+# Notes:

+# - The 2-nd up to 4-th arguments are used to determine how many existing

 # audit rules will be inspected for resemblance with the new audit rule

-# (5-th argument) the function is going to add. The rule's similarity check

-# is performed to optimize audit.rules definition (merge syscalls of the same

-# group into one rule) to avoid the "single-syscall-per-audit-rule" performance

-# penalty.

-#

-# Example call:

-#

-#	See e.g. 'audit_rules_file_deletion_events.sh' remediation script

-#

+# the function is going to add.

+# - The function's similarity check uses the 5-th argument to optimize audit

+# rules definitions (merge syscalls of the same group into one rule) to avoid

+# the "single-syscall-per-audit-rule" performance penalty.

+# - The key argument (7-th argument) is not used when the syscall is grouped to an

+# existing audit rule. The audit rule will retain the key it already had.

+

 function fix_audit_syscall_rule {

 # Load function arguments into local variables

 local tool="$1"

-local pattern="$2"

-local group="$3"

-local arch="$4"

-local full_rule="$5"

+local action_arch_filters="$2"

+local other_filters="$3"

+local auid_filters="$4"

+local syscall="$5"

+local syscall_grouping

+read -a syscall_grouping <<< "$6"

+local key="$7"

 # Check sanity of the input

-if [ $# -ne "5" ]

+if [ $# -ne "7" ]

 then

-	echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"

+	echo "Usage: fix_audit_syscall_rule 'tool' 'action_arch_filters' 'other_filters' 'auid_filters' 'syscall' 'syscall_grouping' 'key'"

 	echo "Aborting."

 	exit 1

 fi

@@ -74,16 +82,17 @@ then

 # file to the list of files to be inspected

 elif [ "$tool" == 'auditctl' ]

 then

+	default_file="/etc/audit/audit.rules"

 	files_to_inspect+=('/etc/audit/audit.rules' )

 # If audit tool is 'augenrules', then check if the audit rule is defined

 # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection

 # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection

 elif [ "$tool" == 'augenrules' ]

 then

-	# Extract audit $key from audit rule so we can use it later

 	matches=()

-	key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')

-	readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)

+	default_file="/etc/audit/rules.d/${key}.rules"

+	# As other_filters may include paths, lets use a different delimiter for it

+	readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules)

 	if [ $? -ne 0 ]

 	then

 		retval=1

@@ -106,115 +115,88 @@ then

 fi

 #

-# Indicator that we want to append $full_rule into $audit_file by default

+# Indicator that we want to append $full_rule into $audit_file or edit a rule in it

 local append_expected_rule=0

 for audit_file in "${files_to_inspect[@]}"

 do

-	# Filter existing $audit_file rules' definitions to select those that:

-	# * follow the rule pattern, and

-	# * meet the hardware architecture requirement, and

-	# * are current syscall group specific

-	readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d"  "$audit_file")

+	# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,

+	# i.e, collect rules that match:

+	# * the action, list and arch, (2-nd argument)

+	# * the other filters, (3-rd argument)

+	# * the auid filters, (4-rd argument)

+	readarray -t similar_rules < <(sed -e "/${action_arch_filters}/!d"  -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" "$audit_file")

 	if [ $? -ne 0 ]

 	then

 		retval=1

 	fi

-	# Process rules found case-by-case

-	for rule in "${existing_rules[@]}"

+	local candidate_rules=()

+	# Filter out rules that have more fields then required. This will remove rules more specific than the required scope

+	for s_rule in "${similar_rules[@]}"

+	do

+		# Strip all the options and fields we know of,

+		# than check if there was any field left over

+		extra_fields=$(sed -E -e "s/${action_arch_filters}//"  -e "s#${other_filters}##" -e "s/${auid_filters}//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")

+		grep -q -- "-F" <<< "$extra_fields"

+		if [ $? -ne 0 ]

+		then

+			candidate_rules+=("$s_rule")

+		fi

+	done

+

+	# Check if the syscall we want is present in any of the similar existing rules

+	for rule in "${candidate_rules[@]}"

 	do

-		# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)

-		if [ "${rule}" != "${full_rule}" ]

+		rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)

+		grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"

+		if [ $? -eq 0 ]

 		then

-			# If so, isolate just '(-S \w)+' substring of that rule

-			rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')

-			# Check if list of '-S syscall' arguments of that rule is subset

-			# of '-S syscall' list of expected $full_rule

-			if grep -q -- "$rule_syscalls" <<< "$full_rule"

+			# We found a rule with the syscall we want

+			return $retval

+		fi

+

+		# Check if this rule can be grouped with our target syscall and keep track of it

+		for syscall_g in "${syscall_grouping[@]}"

+		do

+			if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"

 			then

-				# Rule is covered (i.e. the list of -S syscalls for this rule is

-				# subset of -S syscalls of $full_rule => existing rule can be deleted

-				# Thus delete the rule from audit.rules & our array

-				sed -i -e "\;${rule};d" "$audit_file"

-				if [ $? -ne 0 ]

-				then

-					retval=1

-				fi

-				existing_rules=("${existing_rules[@]//$rule/}")

-			else

-				# Rule isn't covered by $full_rule - it besides -S syscall arguments

-				# for this group contains also -S syscall arguments for other syscall

-				# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'

-				# since 'lchown' & 'fchownat' share 'chown' substring

-				# Therefore:

-				# * 1) delete the original rule from audit.rules

-				# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)

-				# * 2) delete the -S syscall arguments for this syscall group, but

-				# keep those not belonging to this syscall group

-				# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'

-				# * 3) append the modified (filtered) rule again into audit.rules

-				# if the same rule not already present

-				#

-				# 1) Delete the original rule

-				sed -i -e "\;${rule};d" "$audit_file"

-				if [ $? -ne 0 ]

-				then

-					retval=1

-				fi

-

-				# 2) Delete syscalls for this group, but keep those from other groups

-				# Convert current rule syscall's string into array splitting by '-S' delimiter

-				IFS_BKP="$IFS"

-				IFS=$'-S'

-				read -a rule_syscalls_as_array <<< "$rule_syscalls"

-				# Reset IFS back to default

-				IFS="$IFS_BKP"

-				# Splitting by "-S" can't be replaced by the readarray functionality easily

-

-				# Declare new empty string to hold '-S syscall' arguments from other groups

-				new_syscalls_for_rule=''

-				# Walk through existing '-S syscall' arguments

-				for syscall_arg in "${rule_syscalls_as_array[@]}"

-				do

-					# Skip empty $syscall_arg values

-					if [ "$syscall_arg" == '' ]

-					then

-						continue

-					fi

-					# If the '-S syscall' doesn't belong to current group add it to the new list

-					# (together with adding '-S' delimiter back for each of such item found)

-					if grep -q -v -- "$group" <<< "$syscall_arg"

-					then

-						new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"

-					fi

-				done

-				# Replace original '-S syscall' list with the new one for this rule

-				updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}

-				# Squeeze repeated whitespace characters in rule definition (if any) into one

-				updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')

-				# 3) Append the modified / filtered rule again into audit.rules

-				#    (but only in case it's not present yet to prevent duplicate definitions)

-				if ! grep -q -- "$updated_rule" "$audit_file"

-				then

-					echo "$updated_rule" >> "$audit_file"

-				fi

+				local file_to_edit=${audit_file}

+				local rule_to_edit=${rule}

+				local rule_syscalls_to_edit=${rule_syscalls}

 			fi

-		else

-			# $audit_file already contains the expected rule form for this

-			# architecture & key => don't insert it second time

-			append_expected_rule=1

-		fi

+		done

 	done

+done

+

+

+# We checked all rules that matched the expected resemblance patter (action, arch & auid)

+# At this point we know if we need to either append the $full_rule or group

+# the syscall together with an exsiting rule

-	# We deleted all rules that were subset of the expected one for this arch & key.

-	# Also isolated rules containing system calls not from this system calls group.

-	# Now append the expected rule if it's not present in $audit_file yet

-	if [[ ${append_expected_rule} -eq "0" ]]

+# Append the full_rule if it cannot be grouped to any other rule

+if [ -z ${rule_to_edit+x} ]

+then

+	# Build full_rule while avoid adding double spaces when other_filters is empty

+	local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"

+	echo "$full_rule" >> "$default_file"

+else

+	# Check if the syscalls are declared as a comma separated list or

+	# as multiple -S parameters

+	if grep -q -- "," <<< "${rule_syscalls_to_edit}"

 	then

-		echo "$full_rule" >> "$audit_file"

+		new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}"

+	else

+		new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}"

 	fi

-done

+

+	# Group the syscall in the rule

+	sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"

+	if [ $? -ne 0 ]

+	then

+		retval=1

+	fi

+fi

 return $retval

diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template

index d64d264635c..b2de8d355e1 100644

--- a/shared/templates/audit_rules_dac_modification/bash.template

+++ b/shared/templates/audit_rules_dac_modification/bash.template

@@ -9,25 +9,31 @@

 for ARCH in "${RULE_ARCHS[@]}"

 do

-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*"

-	GROUP="perm_mod"

-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS=""

+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"

+	SYSCALL="{{{ ATTR }}}"

+	KEY="perm_mod"

+	SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

 {{% if CHECK_ROOT_USER %}}

 for ARCH in "${RULE_ARCHS[@]}"

 do

-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"

-	GROUP="perm_mod"

-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS=""

+	AUID_FILTERS="-F auid=0"

+	SYSCALL="{{{ ATTR }}}"

+	KEY="perm_mod"

+	SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

 {{% endif %}}

diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py

index e12e9c27e56..7dc53e81f7d 100644

--- a/shared/templates/audit_rules_dac_modification/template.py

+++ b/shared/templates/audit_rules_dac_modification/template.py

@@ -3,5 +3,9 @@

 def preprocess(data, lang):

     data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)

+    if lang == "bash":

+        if "syscall_grouping" in data:

+            # Make it easier to tranform the syscall_grouping into a Bash array

+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])

     return data

diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template

index 851b0fd43e3..b5b4c46a7cd 100644

--- a/shared/templates/audit_rules_file_deletion_events/bash.template

+++ b/shared/templates/audit_rules_file_deletion_events/bash.template

@@ -9,10 +9,13 @@

 for ARCH in "${RULE_ARCHS[@]}"

 do

-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}}.*"

-	GROUP="delete"

-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS=""

+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"

+	SYSCALL="{{{ NAME }}}"

+	KEY="delete"

+	SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py

new file mode 100644

index 00000000000..7be137c1eb9

--- /dev/null

+++ b/shared/templates/audit_rules_file_deletion_events/template.py

@@ -0,0 +1,14 @@

+import ssg.utils

+

+

+def _audit_rules_file_deletion_events(data, lang):

+    if lang == "bash":

+        if "syscall_grouping" in data:

+            # Make it easier to tranform the syscall_grouping into a Bash array

+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])

+    return data

+

+

+def preprocess(data, lang):

+    return _audit_rules_file_deletion_events(data, lang)

+

diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template

index 656d168ddd2..676f6c37deb 100644

--- a/shared/templates/audit_rules_path_syscall/bash.template

+++ b/shared/templates/audit_rules_path_syscall/bash.template

@@ -9,10 +9,13 @@

 for ARCH in "${RULE_ARCHS[@]}"

 do

-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*"

-	GROUP="modify"

-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS="-F {{{ POS }}}&03 -F path={{{ PATH }}}"

+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"

+	SYSCALL="{{{ SYSCALL }}}"

+	KEY="user-modify"

+	SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py

index beb25a6e69d..7e0877a02b9 100644

--- a/shared/templates/audit_rules_path_syscall/template.py

+++ b/shared/templates/audit_rules_path_syscall/template.py

@@ -7,4 +7,8 @@ def preprocess(data, lang):

         # remove root slash made into '_'

         pathid = pathid[1:]

         data["pathid"] = pathid

+    elif lang == "bash":

+        if "syscall_grouping" in data:

+            # Make it easier to tranform the syscall_grouping into a Bash array

+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])

     return data

diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template

index d03a92061cb..bd9d4d12484 100644

--- a/shared/templates/audit_rules_privileged_commands/bash.template

+++ b/shared/templates/audit_rules_privileged_commands/bash.template

@@ -1,16 +1,17 @@

 {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}

-  {{%- set perm_x="-F perm=x " %}}

+  {{%- set perm_x=" -F perm=x " %}}

 {{%- endif %}}

 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

 # Include source function library.

 . /usr/share/scap-security-guide/remediation_functions

-PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"

-GROUP="privileged"

-# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation

-ARCH=""

-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"

+ACTION_ARCH_FILTERS="-a always,exit"

+OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}"

+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"

+SYSCALL="{{{ ATTR }}}"

+KEY="privileged"

+SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py

index 444b2aab083..43302a6690a 100644

--- a/shared/templates/audit_rules_privileged_commands/template.py

+++ b/shared/templates/audit_rules_privileged_commands/template.py

@@ -15,4 +15,8 @@ def preprocess(data, lang):

         if npath[0] == '_':

             npath = npath[1:]

         data["normalized_path"] = npath

+    elif lang == "bash":

+        if "syscall_grouping" in data:

+            # Make it easier to tranform the syscall_grouping into a Bash array

+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])

     return data

diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template

index daf146f7eb5..4adaa86fd58 100644

--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template

+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template

@@ -7,22 +7,25 @@

 # Retrieve hardware architecture of the underlying system

 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"

+SYSCALL="{{{ NAME }}}"

+KEY="access"

+SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"

+

 for ARCH in "${RULE_ARCHS[@]}"

 do

-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES.*"

-	GROUP="access"

-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS="-F exit=-EACCES"

 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

 for ARCH in "${RULE_ARCHS[@]}"

 do

-        PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM.*"

-        GROUP="access"

-        FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"

-        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

-        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

-        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"

+	OTHER_FILTERS="-F exit=-EPERM"

+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

+	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

+	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"

 done

diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py

new file mode 100644

index 00000000000..a4e58609f66

--- /dev/null

+++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py

@@ -0,0 +1,14 @@

+import ssg.utils

+

+

+def _audit_rules_unsuccessful_file_modification(data, lang):

+    if lang == "bash":

+        if "syscall_grouping" in data:

+            # Make it easier to tranform the syscall_grouping into a Bash array

+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])

+    return data

+

+

+def preprocess(data, lang):

+    return _audit_rules_unsuccessful_file_modification(data, lang)

+

From 4c682eadba5ec03ed1204ba9d1b190634bd855d8 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 Aug 2021 15:32:18 +0200

Subject: [PATCH 02/31] Set syscall grouping for chmod rules

---

 .../audit_rules_dac_modification_chmod/rule.yml               | 4 ++++

 .../audit_rules_dac_modification_fchmod/rule.yml              | 4 ++++

 .../audit_rules_dac_modification_fchmodat/rule.yml            | 4 ++++

 3 files changed, 12 insertions(+)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml

index bc3e47523f5..07d37b18aa3 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml

@@ -76,3 +76,7 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: chmod

+        syscall_grouping:

+          - chmod

+          - fchmod

+          - fchmodat

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml

index ed4d88cb0c6..6c3cc5592ac 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml

@@ -74,3 +74,7 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: fchmod

+        syscall_grouping:

+          - chmod

+          - fchmod

+          - fchmodat

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml

index 2db3878939a..3e51d482a9c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml

@@ -74,3 +74,7 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: fchmodat

+        syscall_grouping:

+          - chmod

+          - fchmod

+          - fchmodat

From eaaaa86b8a07082cdc92d967af09e0908ef22905 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 Aug 2021 15:32:52 +0200

Subject: [PATCH 03/31] Set syscall grouping for chown rules

---

 .../audit_rules_dac_modification_chown/rule.yml              | 5 +++++

 .../audit_rules_dac_modification_fchown/rule.yml             | 5 +++++

 .../audit_rules_dac_modification_fchownat/rule.yml           | 5 +++++

 .../audit_rules_dac_modification_lchown/rule.yml             | 5 +++++

 4 files changed, 20 insertions(+)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml

index 6b3236cf953..e2d9944a3bb 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml

@@ -74,3 +74,8 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: chown

+        syscall_grouping:

+          - chown

+          - fchown

+          - fchownat

+          - lchown

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml

index 37dfb89ef29..d89875fcaab 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml

@@ -77,3 +77,8 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: fchown

+        syscall_grouping:

+          - chown

+          - fchown

+          - fchownat

+          - lchown

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml

index f75ac769d8d..e6caaeb5c9f 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml

@@ -74,3 +74,8 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: fchownat

+        syscall_grouping:

+          - chown

+          - fchown

+          - fchownat

+          - lchown

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml

index edc053bfb30..190509c0c8d 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml

@@ -74,3 +74,8 @@ template:

     name: audit_rules_dac_modification

     vars:

         attr: lchown

+        syscall_grouping:

+          - chown

+          - fchown

+          - fchownat

+          - lchown

From b1d747cb65e6e869be2b3c99d295cb6f75c98b61 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 Aug 2021 15:33:21 +0200

Subject: [PATCH 04/31] Set syscall groupings for set/remove xattr rules

---

 .../audit_rules_dac_modification_fremovexattr/rule.yml     | 7 +++++++

 .../audit_rules_dac_modification_fsetxattr/rule.yml        | 7 +++++++

 .../audit_rules_dac_modification_lremovexattr/rule.yml     | 7 +++++++

 .../audit_rules_dac_modification_lsetxattr/rule.yml        | 7 +++++++

 .../audit_rules_dac_modification_removexattr/rule.yml      | 7 +++++++

 .../audit_rules_dac_modification_setxattr/rule.yml         | 7 +++++++

 6 files changed, 42 insertions(+)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml

index 5bd1b25eafb..b9ad3c7942e 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml

@@ -93,3 +93,10 @@ template:

         attr: fremovexattr

         check_root_user@rhel8: "true"

         check_root_user@rhel9: "true"

+        syscall_grouping:

+          - fremovexattr

+          - lremovexattr

+          - removexattr

+          - fsetxattr

+          - lsetxattr

+          - setxattr

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml

index 410dd8a5efa..cedf05f9765 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml

@@ -88,3 +88,10 @@ template:

         attr: fsetxattr

         check_root_user@rhel8: "true"

         check_root_user@rhel9: "true"

+        syscall_grouping:

+          - fremovexattr

+          - lremovexattr

+          - removexattr

+          - fsetxattr

+          - lsetxattr

+          - setxattr

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml

index 947c768efd8..ffdacdf09e7 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml

@@ -93,3 +93,10 @@ template:

         attr: lremovexattr

         check_root_user@rhel8: "true"

         check_root_user@rhel9: "true"

+        syscall_grouping:

+          - fremovexattr

+          - lremovexattr

+          - removexattr