Blob Blame History Raw
From 8455c8556a6d828b15ebc62cf511e484dd626a36 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 16 Jul 2021 13:16:12 -0500
Subject: [PATCH] Add rules for RHEL-08-030610

Added two rules, one for each of the paths mentioned in the STIG.
---
 .../rule.yml                                  | 35 ++++++++++++++++++
 .../tests/correct_permissions.pass.sh         |  6 ++++
 .../tests/incorrect_permissions.fail.sh       |  6 ++++
 .../rule.yml                                  | 36 +++++++++++++++++++
 .../tests/correct_permissions.pass.sh         |  6 ++++
 .../tests/incorrect_permissions.fail.sh       |  6 ++++
 products/rhel8/profiles/stig.profile          |  2 ++
 shared/references/cce-redhat-avail.txt        |  2 --
 .../data/profile_stability/rhel8/stig.profile |  2 ++
 .../profile_stability/rhel8/stig_gui.profile  |  2 ++
 10 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh

diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml
new file mode 100644
index 0000000000..1cde3ded5f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Verify Permissions on /etc/audit/auditd.conf'
+
+description: |-
+    {{{ describe_file_permissions(file="/etc/audit/auditd.conf", perms="0640") }}}
+
+
+rationale: |-
+    Without the capability to restrict the roles and individuals that can select which events
+    are audited, unauthorized personnel may be able to prevent the auditing of critical
+    events. Misconfigured audits may degrade the system's performance by overwhelming
+    the audit log. Misconfigured audits may also make it more difficult to establish,
+    correlate, and investigate the events relating to an incident or identify
+    those responsible for one.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85871-2
+
+references:
+    disa: CCI-000171
+    nist: AU-12(b)
+    srg: SRG-OS-000063-GPOS-00032
+    stigid@rhel8: RHEL-08-030610
+
+template:
+    name: file_permissions
+    vars:
+      filepath: /etc/audit/auditd.conf
+      allow_stricter_permissions: "true"
+      filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh
new file mode 100644
index 0000000000..8c9b782920
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export TESTFILE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/
+touch $TESTFILE
+chmod 0640 $TESTFILE
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh
new file mode 100644
index 0000000000..a460e0dddd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export TESTFILLE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/
+touch $TESTFILLE
+chmod 0644 $TESTFILLE
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml
new file mode 100644
index 0000000000..34e1f30367
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Verify Permissions on /etc/audit/rules.d/*.rules'
+
+description: |-
+    {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0640") }}}
+
+
+rationale: |-
+    Without the capability to restrict the roles and individuals that can select which events
+    are audited, unauthorized personnel may be able to prevent the auditing of critical
+    events. Misconfigured audits may degrade the system's performance by overwhelming
+    the audit log. Misconfigured audits may also make it more difficult to establish,
+    correlate, and investigate the events relating to an incident or identify
+    those responsible for one.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85875-3
+
+references:
+    disa: CCI-000171
+    nist: AU-12(b)
+    srg: SRG-OS-000063-GPOS-00032
+    stigid@rhel8: RHEL-08-030610
+
+template:
+    name: file_permissions
+    vars:
+      filepath: /etc/audit/rules.d/
+      file_regex: ^.*rules$
+      allow_stricter_permissions: "true"
+      filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh
new file mode 100644
index 0000000000..b0a20248c3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILE
+chmod 0640 $TESTFILE
diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh
new file mode 100644
index 0000000000..c7fd3a95e9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILLE
+chmod 0644 $TESTFILLE
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 26d0aa9922..5a0a520ee0 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -801,6 +801,8 @@ selections:
     - configure_usbguard_auditbackend
 
     # RHEL-08-030610
+    - file_permissions_etc_audit_auditd
+    - file_permissions_etc_audit_rulesd
 
     # RHEL-08-030620
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ae3375fd4d..24e8149168 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -11,11 +11,9 @@ CCE-85867-0
 CCE-85868-8
 CCE-85869-6
 CCE-85870-4
-CCE-85871-2
 CCE-85872-0
 CCE-85873-8
 CCE-85874-6
-CCE-85875-3
 CCE-85876-1
 CCE-85877-9
 CCE-85878-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a1de1f5561..4be3cf93c2 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -123,6 +123,8 @@ selections:
 - file_ownership_var_log_audit
 - file_permission_user_init_files
 - file_permissions_binary_dirs
+- file_permissions_etc_audit_auditd
+- file_permissions_etc_audit_rulesd
 - file_permissions_home_directories
 - file_permissions_library_dirs
 - file_permissions_sshd_private_key
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index b7d2be3af3..20b8a54861 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -134,6 +134,8 @@ selections:
 - file_ownership_var_log_audit
 - file_permission_user_init_files
 - file_permissions_binary_dirs
+- file_permissions_etc_audit_auditd
+- file_permissions_etc_audit_rulesd
 - file_permissions_home_directories
 - file_permissions_library_dirs
 - file_permissions_sshd_private_key