From 54a0e7e0c0d00eacf21f68492517db8968d4e0b2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:01:45 +0200
Subject: [PATCH 01/31] Change fix_audit_syscall_rule to group syscalls
The function actually separated the syscalls into individual lines.
* Improve and extend rule skeleton matching with more explicit rule
options for action, arch, auid and other filters.
* Make explicit the syscalls that can be grouped through the
'syscall_groupings' parameter.
* Make they key to use more explicit, instead of implicit through
'group'.
---
.../fix_audit_syscall_rule.sh | 218 ++++++++----------
.../bash.template | 26 ++-
.../audit_rules_dac_modification/template.py | 4 +
.../bash.template | 13 +-
.../template.py | 14 ++
.../audit_rules_path_syscall/bash.template | 13 +-
.../audit_rules_path_syscall/template.py | 4 +
.../bash.template | 17 +-
.../template.py | 4 +
.../bash.template | 25 +-
.../template.py | 14 ++
11 files changed, 195 insertions(+), 157 deletions(-)
create mode 100644 shared/templates/audit_rules_file_deletion_events/template.py
create mode 100644 shared/templates/audit_rules_unsuccessful_file_modification/template.py
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index 4e16af2fb71..6bf5ac15436 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -10,40 +10,48 @@
#
# for further details.
#
-# Expects five arguments (each of them is required) in the form of:
+# Expects seven arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
-# * audit rules' pattern audit rule skeleton for same syscall
-# * syscall group greatest common string this rule shares
-# with other rules from the same group
-# * architecture architecture this rule is intended for
-# * full form of new rule to add expected full form of audit rule as to be
-# added into audit.rules file
+# * action_arch_filters The action and arch filters of the rule
+# For example, "-a always,exit -F arch=b64"
+# * other_filters Other filters that may characterize the rule:
+# For example, "-F a2&03 -F path=/etc/passwd"
+# * auid_filters The auid filters of the rule
+# For example, "-F auid>=1000 -F auid!=unset"
+# * syscall The syscall to ensure presense among audit rules
+# For example, "chown"
+# * syscall_groupings Other syscalls that can be grouped with 'syscall'
+# as a space separated list.
+# For example, "fchown lchown fchownat"
+# * key The key to use when appending a new rule
#
-# Note: The 2-th up to 4-th arguments are used to determine how many existing
+# Notes:
+# - The 2-nd up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
-# (5-th argument) the function is going to add. The rule's similarity check
-# is performed to optimize audit.rules definition (merge syscalls of the same
-# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
-# penalty.
-#
-# Example call:
-#
-# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
-#
+# the function is going to add.
+# - The function's similarity check uses the 5-th argument to optimize audit
+# rules definitions (merge syscalls of the same group into one rule) to avoid
+# the "single-syscall-per-audit-rule" performance penalty.
+# - The key argument (7-th argument) is not used when the syscall is grouped to an
+# existing audit rule. The audit rule will retain the key it already had.
+
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
-local pattern="$2"
-local group="$3"
-local arch="$4"
-local full_rule="$5"
+local action_arch_filters="$2"
+local other_filters="$3"
+local auid_filters="$4"
+local syscall="$5"
+local syscall_grouping
+read -a syscall_grouping <<< "$6"
+local key="$7"
# Check sanity of the input
-if [ $# -ne "5" ]
+if [ $# -ne "7" ]
then
- echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
+ echo "Usage: fix_audit_syscall_rule 'tool' 'action_arch_filters' 'other_filters' 'auid_filters' 'syscall' 'syscall_grouping' 'key'"
echo "Aborting."
exit 1
fi
@@ -74,16 +82,17 @@ then
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
+ default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
- # Extract audit $key from audit rule so we can use it later
matches=()
- key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
- readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
+ default_file="/etc/audit/rules.d/${key}.rules"
+ # As other_filters may include paths, lets use a different delimiter for it
+ readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
@@ -106,115 +115,88 @@ then
fi
#
-# Indicator that we want to append $full_rule into $audit_file by default
+# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
- # Filter existing $audit_file rules' definitions to select those that:
- # * follow the rule pattern, and
- # * meet the hardware architecture requirement, and
- # * are current syscall group specific
- readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
- # Process rules found case-by-case
- for rule in "${existing_rules[@]}"
+ local candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/${action_arch_filters}//" -e "s#${other_filters}##" -e "s/${auid_filters}//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields"
+ if [ $? -ne 0 ]
+ then
+ candidate_rules+=("$s_rule")
+ fi
+ done
+
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
do
- # Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
- if [ "${rule}" != "${full_rule}" ]
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"
+ if [ $? -eq 0 ]
then
- # If so, isolate just '(-S \w)+' substring of that rule
- rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
- # Check if list of '-S syscall' arguments of that rule is subset
- # of '-S syscall' list of expected $full_rule
- if grep -q -- "$rule_syscalls" <<< "$full_rule"
+ # We found a rule with the syscall we want
+ return $retval
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
- # Rule is covered (i.e. the list of -S syscalls for this rule is
- # subset of -S syscalls of $full_rule => existing rule can be deleted
- # Thus delete the rule from audit.rules & our array
- sed -i -e "\;${rule};d" "$audit_file"
- if [ $? -ne 0 ]
- then
- retval=1
- fi
- existing_rules=("${existing_rules[@]//$rule/}")
- else
- # Rule isn't covered by $full_rule - it besides -S syscall arguments
- # for this group contains also -S syscall arguments for other syscall
- # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
- # since 'lchown' & 'fchownat' share 'chown' substring
- # Therefore:
- # * 1) delete the original rule from audit.rules
- # (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
- # * 2) delete the -S syscall arguments for this syscall group, but
- # keep those not belonging to this syscall group
- # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
- # * 3) append the modified (filtered) rule again into audit.rules
- # if the same rule not already present
- #
- # 1) Delete the original rule
- sed -i -e "\;${rule};d" "$audit_file"
- if [ $? -ne 0 ]
- then
- retval=1
- fi
-
- # 2) Delete syscalls for this group, but keep those from other groups
- # Convert current rule syscall's string into array splitting by '-S' delimiter
- IFS_BKP="$IFS"
- IFS=$'-S'
- read -a rule_syscalls_as_array <<< "$rule_syscalls"
- # Reset IFS back to default
- IFS="$IFS_BKP"
- # Splitting by "-S" can't be replaced by the readarray functionality easily
-
- # Declare new empty string to hold '-S syscall' arguments from other groups
- new_syscalls_for_rule=''
- # Walk through existing '-S syscall' arguments
- for syscall_arg in "${rule_syscalls_as_array[@]}"
- do
- # Skip empty $syscall_arg values
- if [ "$syscall_arg" == '' ]
- then
- continue
- fi
- # If the '-S syscall' doesn't belong to current group add it to the new list
- # (together with adding '-S' delimiter back for each of such item found)
- if grep -q -v -- "$group" <<< "$syscall_arg"
- then
- new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
- fi
- done
- # Replace original '-S syscall' list with the new one for this rule
- updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
- # Squeeze repeated whitespace characters in rule definition (if any) into one
- updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
- # 3) Append the modified / filtered rule again into audit.rules
- # (but only in case it's not present yet to prevent duplicate definitions)
- if ! grep -q -- "$updated_rule" "$audit_file"
- then
- echo "$updated_rule" >> "$audit_file"
- fi
+ local file_to_edit=${audit_file}
+ local rule_to_edit=${rule}
+ local rule_syscalls_to_edit=${rule_syscalls}
fi
- else
- # $audit_file already contains the expected rule form for this
- # architecture & key => don't insert it second time
- append_expected_rule=1
- fi
+ done
done
+done
+
+
+# We checked all rules that matched the expected resemblance patter (action, arch & auid)
+# At this point we know if we need to either append the $full_rule or group
+# the syscall together with an exsiting rule
- # We deleted all rules that were subset of the expected one for this arch & key.
- # Also isolated rules containing system calls not from this system calls group.
- # Now append the expected rule if it's not present in $audit_file yet
- if [[ ${append_expected_rule} -eq "0" ]]
+# Append the full_rule if it cannot be grouped to any other rule
+if [ -z ${rule_to_edit+x} ]
+then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
+ echo "$full_rule" >> "$default_file"
+else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
- echo "$full_rule" >> "$audit_file"
+ new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}"
+ else
+ new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}"
fi
-done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ if [ $? -ne 0 ]
+ then
+ retval=1
+ fi
+fi
return $retval
diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index d64d264635c..b2de8d355e1 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -9,25 +9,31 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*"
- GROUP="perm_mod"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="{{{ ATTR }}}"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
{{% if CHECK_ROOT_USER %}}
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"
- GROUP="perm_mod"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid=0"
+ SYSCALL="{{{ ATTR }}}"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
{{% endif %}}
diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py
index e12e9c27e56..7dc53e81f7d 100644
--- a/shared/templates/audit_rules_dac_modification/template.py
+++ b/shared/templates/audit_rules_dac_modification/template.py
@@ -3,5 +3,9 @@
def preprocess(data, lang):
data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)
+ if lang == "bash":
+ if "syscall_grouping" in data:
+ # Make it easier to tranform the syscall_grouping into a Bash array
+ data["syscall_grouping"] = " ".join(data["syscall_grouping"])
return data
diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
index 851b0fd43e3..b5b4c46a7cd 100644
--- a/shared/templates/audit_rules_file_deletion_events/bash.template
+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
@@ -9,10 +9,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}}.*"
- GROUP="delete"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="{{{ NAME }}}"
+ KEY="delete"
+ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py
new file mode 100644
index 00000000000..7be137c1eb9
--- /dev/null
+++ b/shared/templates/audit_rules_file_deletion_events/template.py
@@ -0,0 +1,14 @@
+import ssg.utils
+
+
+def _audit_rules_file_deletion_events(data, lang):
+ if lang == "bash":
+ if "syscall_grouping" in data:
+ # Make it easier to tranform the syscall_grouping into a Bash array
+ data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ return data
+
+
+def preprocess(data, lang):
+ return _audit_rules_file_deletion_events(data, lang)
+
diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template
index 656d168ddd2..676f6c37deb 100644
--- a/shared/templates/audit_rules_path_syscall/bash.template
+++ b/shared/templates/audit_rules_path_syscall/bash.template
@@ -9,10 +9,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*"
- GROUP="modify"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F {{{ POS }}}&03 -F path={{{ PATH }}}"
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="{{{ SYSCALL }}}"
+ KEY="user-modify"
+ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py
index beb25a6e69d..7e0877a02b9 100644
--- a/shared/templates/audit_rules_path_syscall/template.py
+++ b/shared/templates/audit_rules_path_syscall/template.py
@@ -7,4 +7,8 @@ def preprocess(data, lang):
# remove root slash made into '_'
pathid = pathid[1:]
data["pathid"] = pathid
+ elif lang == "bash":
+ if "syscall_grouping" in data:
+ # Make it easier to tranform the syscall_grouping into a Bash array
+ data["syscall_grouping"] = " ".join(data["syscall_grouping"])
return data
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index d03a92061cb..bd9d4d12484 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,16 +1,17 @@
{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
- {{%- set perm_x="-F perm=x " %}}
+ {{%- set perm_x=" -F perm=x " %}}
{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
-GROUP="privileged"
-# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
-ARCH=""
-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}"
+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+SYSCALL="{{{ ATTR }}}"
+KEY="privileged"
+SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py
index 444b2aab083..43302a6690a 100644
--- a/shared/templates/audit_rules_privileged_commands/template.py
+++ b/shared/templates/audit_rules_privileged_commands/template.py
@@ -15,4 +15,8 @@ def preprocess(data, lang):
if npath[0] == '_':
npath = npath[1:]
data["normalized_path"] = npath
+ elif lang == "bash":
+ if "syscall_grouping" in data:
+ # Make it easier to tranform the syscall_grouping into a Bash array
+ data["syscall_grouping"] = " ".join(data["syscall_grouping"])
return data
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
index daf146f7eb5..4adaa86fd58 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
@@ -7,22 +7,25 @@
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+SYSCALL="{{{ NAME }}}"
+KEY="access"
+SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
+
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES.*"
- GROUP="access"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F exit=-EACCES"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM.*"
- GROUP="access"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F exit=-EPERM"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
new file mode 100644
index 00000000000..a4e58609f66
--- /dev/null
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
@@ -0,0 +1,14 @@
+import ssg.utils
+
+
+def _audit_rules_unsuccessful_file_modification(data, lang):
+ if lang == "bash":
+ if "syscall_grouping" in data:
+ # Make it easier to tranform the syscall_grouping into a Bash array
+ data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ return data
+
+
+def preprocess(data, lang):
+ return _audit_rules_unsuccessful_file_modification(data, lang)
+
From 4c682eadba5ec03ed1204ba9d1b190634bd855d8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:32:18 +0200
Subject: [PATCH 02/31] Set syscall grouping for chmod rules
---
.../audit_rules_dac_modification_chmod/rule.yml | 4 ++++
.../audit_rules_dac_modification_fchmod/rule.yml | 4 ++++
.../audit_rules_dac_modification_fchmodat/rule.yml | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
index bc3e47523f5..07d37b18aa3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
@@ -76,3 +76,7 @@ template:
name: audit_rules_dac_modification
vars:
attr: chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index ed4d88cb0c6..6c3cc5592ac 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -74,3 +74,7 @@ template:
name: audit_rules_dac_modification
vars:
attr: fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index 2db3878939a..3e51d482a9c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -74,3 +74,7 @@ template:
name: audit_rules_dac_modification
vars:
attr: fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
From eaaaa86b8a07082cdc92d967af09e0908ef22905 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:32:52 +0200
Subject: [PATCH 03/31] Set syscall grouping for chown rules
---
.../audit_rules_dac_modification_chown/rule.yml | 5 +++++
.../audit_rules_dac_modification_fchown/rule.yml | 5 +++++
.../audit_rules_dac_modification_fchownat/rule.yml | 5 +++++
.../audit_rules_dac_modification_lchown/rule.yml | 5 +++++
4 files changed, 20 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
index 6b3236cf953..e2d9944a3bb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
@@ -74,3 +74,8 @@ template:
name: audit_rules_dac_modification
vars:
attr: chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index 37dfb89ef29..d89875fcaab 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -77,3 +77,8 @@ template:
name: audit_rules_dac_modification
vars:
attr: fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index f75ac769d8d..e6caaeb5c9f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -74,3 +74,8 @@ template:
name: audit_rules_dac_modification
vars:
attr: fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index edc053bfb30..190509c0c8d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -74,3 +74,8 @@ template:
name: audit_rules_dac_modification
vars:
attr: lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
From b1d747cb65e6e869be2b3c99d295cb6f75c98b61 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:33:21 +0200
Subject: [PATCH 04/31] Set syscall groupings for set/remove xattr rules
---
.../audit_rules_dac_modification_fremovexattr/rule.yml | 7 +++++++
.../audit_rules_dac_modification_fsetxattr/rule.yml | 7 +++++++
.../audit_rules_dac_modification_lremovexattr/rule.yml | 7 +++++++
.../audit_rules_dac_modification_lsetxattr/rule.yml | 7 +++++++
.../audit_rules_dac_modification_removexattr/rule.yml | 7 +++++++
.../audit_rules_dac_modification_setxattr/rule.yml | 7 +++++++
6 files changed, 42 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index 5bd1b25eafb..b9ad3c7942e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -93,3 +93,10 @@ template:
attr: fremovexattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 410dd8a5efa..cedf05f9765 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -88,3 +88,10 @@ template:
attr: fsetxattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 947c768efd8..ffdacdf09e7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -93,3 +93,10 @@ template:
attr: lremovexattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index ed1fd3715d2..3662262f674 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -86,3 +86,10 @@ template:
attr: lsetxattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 61e69432d1a..ac9d3492aad 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -92,3 +92,10 @@ template:
attr: removexattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 12489a74a01..b661a1f99ae 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -88,3 +88,10 @@ template:
attr: setxattr
check_root_user@rhel8: "true"
check_root_user@rhel9: "true"
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
From 46a087995ffe3d49644d8e8adcbc9b1747947339 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:34:08 +0200
Subject: [PATCH 05/31] Set syscall groupings for remove and delete rules
---
.../audit_rules_file_deletion_events_rename/rule.yml | 6 ++++++
.../audit_rules_file_deletion_events_renameat/rule.yml | 6 ++++++
.../audit_rules_file_deletion_events_rmdir/rule.yml | 6 ++++++
.../audit_rules_file_deletion_events_unlink/rule.yml | 6 ++++++
.../audit_rules_file_deletion_events_unlinkat/rule.yml | 6 ++++++
5 files changed, 30 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
index 9dd83f6dbae..d6dcb8694ad 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
@@ -59,3 +59,9 @@ template:
name: audit_rules_file_deletion_events
vars:
name: rename
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
index cd9aa9f5e61..5f583992c48 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -59,3 +59,9 @@ template:
name: audit_rules_file_deletion_events
vars:
name: renameat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
index 6e0bb755b0d..5368c9dad58 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
@@ -57,3 +57,9 @@ template:
name: audit_rules_file_deletion_events
vars:
name: rmdir
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
index be4e328b7c8..ecdca27b14d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
@@ -59,3 +59,9 @@ template:
name: audit_rules_file_deletion_events
vars:
name: unlink
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
index eaf8f1e08bd..158d24dc708 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
@@ -59,3 +59,9 @@ template:
name: audit_rules_file_deletion_events
vars:
name: unlinkat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
From 121afe11a8c050b7c07c8a2595da898dc8f7a1b6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 15:34:44 +0200
Subject: [PATCH 06/31] Set syscall grouping for create, open and truncate
rules
---
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
6 files changed, 42 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index 08cc99133a4..5c751cb230e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -79,3 +79,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: creat
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index e9b688b9b4e..76bcea154bf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -82,3 +82,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: ftruncate
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 6e242270074..7c6764d2a01 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -82,3 +82,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: open
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index 2b6008fce1f..9bb5ffe3fcb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -78,3 +78,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: open_by_handle_at
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index 308e3da789a..c99656cc744 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -82,3 +82,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: openat
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
index 6ab8d289176..12771beb7e0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -81,3 +81,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: truncate
+ syscall_grouping:
+ - creat
+ - ftruncate
+ - truncate
+ - open
+ - openat
+ - open_by_handle_at
From 9dd2d39f3b5b6e0ac9f961718d8e3d7e1a02e101 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 Aug 2021 17:15:16 +0200
Subject: [PATCH 07/31] Print filenames in sed command
The ";F" was not a typo!
Hopefully this makes it more explicit the function of '-e "F"'.
---
.../bash_remediation_functions/fix_audit_syscall_rule.sh | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index 6bf5ac15436..791e64d05c1 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -1,4 +1,3 @@
-# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
@@ -89,18 +88,14 @@ then
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
- matches=()
default_file="/etc/audit/rules.d/${key}.rules"
# As other_filters may include paths, lets use a different delimiter for it
- readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules)
+ # The "F" script expression tells sed to print the filenames where the expressions matched
+ readarray -t files_to_inspect < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" -e "F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
- for match in "${matches[@]}"
- do
- files_to_inspect+=("${match}")
- done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
From 56194cadf92fdfa020f650bf0152cf65270e4631 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 Aug 2021 00:35:47 +0200
Subject: [PATCH 08/31] Handle cases where the rule has no syscall
When syscall is not set, just don't add the -S parameter.
The audit privileged commands use the fix_audit_syscall_rule despite
not adding a -S syscall.
Same situation happens for directory_access_var_log_audit.
---
.../bash/shared.sh | 13 +++--
.../fix_audit_syscall_rule.sh | 51 ++++++++++++-------
.../bash.template | 2 +-
3 files changed, 41 insertions(+), 25 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
index 53f2923d687..0c4e8ffdbd3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
@@ -3,9 +3,12 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*"
-GROUP="access-audit-trail"
-FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail"
+ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r"
+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+SYSCALL=""
+KEY="access-audit-trail"
+SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index 791e64d05c1..69430416da3 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -140,28 +140,37 @@ do
fi
done
- # Check if the syscall we want is present in any of the similar existing rules
- for rule in "${candidate_rules[@]}"
- do
- rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
- grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"
- if [ $? -eq 0 ]
- then
- # We found a rule with the syscall we want
- return $retval
- fi
-
- # Check if this rule can be grouped with our target syscall and keep track of it
- for syscall_g in "${syscall_grouping[@]}"
+ if [[ $syscall ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
do
- if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"
+ if [ $? -eq 0 ]
then
- local file_to_edit=${audit_file}
- local rule_to_edit=${rule}
- local rule_syscalls_to_edit=${rule_syscalls}
+ # We found a rule with the syscall we want
+ return $retval
fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ local file_to_edit=${audit_file}
+ local rule_to_edit=${rule}
+ local rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
done
- done
+ else
+ # If there is any candidate rule, it is compliant.
+ if [[ $candidate_rules ]]
+ then
+ return $retval
+ fi
+ fi
done
@@ -173,7 +182,11 @@ done
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
+ if [[ $syscall ]]
+ then
+ local syscall_filters="-S $syscall"
+ fi
+ local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
echo "$full_rule" >> "$default_file"
else
# Check if the syscalls are declared as a comma separated list or
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index bd9d4d12484..b5879085a45 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -9,7 +9,7 @@
ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}"
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
-SYSCALL="{{{ ATTR }}}"
+SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
From aa3b0ea2f194487c3f270e2f4d32768318c06ffa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 Aug 2021 15:30:46 +0200
Subject: [PATCH 09/31] Enhance fix_audit_syscall_rule to handle multiple
syscalls
Some rules deal with single handedly with multiple profiles.
These rules expect to use the fix_audit_syscall_rule to add a rule with
muliple syscalls at a time.
---
.../bash/shared.sh | 14 +++---
.../bash/shared.sh | 26 ++++++-----
.../fix_audit_syscall_rule.sh | 44 ++++++++++++++-----
3 files changed, 58 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh
index 02020a84773..2b5e6649680 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh
@@ -9,11 +9,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>={{{ auid }}} -F auid!=unset -k *"
- # Use escaped BRE regex to specify rule group
- GROUP="\(rmdir\|unlink\|rename\)"
- FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{{ auid }}} -F auid!=unset -k delete"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="rmdir unlink unlinkat rename renameat"
+ KEY="delete"
+ SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
index cdde2eabe04..bf931e46430 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
@@ -11,20 +11,26 @@ for ARCH in "${RULE_ARCHS[@]}"
do
# First fix the -EACCES requirement
- PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k *"
- # Use escaped BRE regex to specify rule group
- GROUP="\(creat\|open\|truncate\)"
- FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k access"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F exit=EACCES"
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+ KEY="access"
+ SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
# Then fix the -EPERM requirement
- PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k *"
# No need to change content of $GROUP variable - it's the same as for -EACCES case above
- FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k access"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F exit=EPERM"
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+ SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+ KEY="access"
+ SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index 69430416da3..c8492149ad9 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -42,7 +42,8 @@ local tool="$1"
local action_arch_filters="$2"
local other_filters="$3"
local auid_filters="$4"
-local syscall="$5"
+local syscall_a
+read -a syscall_a <<< "$5"
local syscall_grouping
read -a syscall_grouping <<< "$6"
local key="$7"
@@ -140,16 +141,25 @@ do
fi
done
- if [[ $syscall ]]
+ if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
- grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"
- if [ $? -eq 0 ]
+ local all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls"
+ if [ $? -eq 1 ]
+ then
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ fi
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
then
- # We found a rule with the syscall we want
+ # We found a rule with all the syscall(s) we want
return $retval
fi
@@ -182,21 +192,35 @@ done
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ $syscall ]]
+ if [[ ${syscall_a} ]]
then
- local syscall_filters="-S $syscall"
+ local syscall_filters=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_filters+="-S $syscall "
+ done
fi
- local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
+ local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
echo "$full_rule" >> "$default_file"
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
- new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}"
+ delimiter=","
else
- new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}"
+ delimiter=" -S "
fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}"
+ if [ $? -eq 1 ]
+ then
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ fi
+ done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
From 0b18f68fa86a16f659995736567ed3649bb58ef2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 Aug 2021 18:56:13 +0200
Subject: [PATCH 10/31] Enhance fix_audit_syscall_rule to handle rules without
auid
Enhance the bash function to nicely handle calls without auid filters
defined.
And updated the remediations of rules calling fix_audit_syscall_rule to
the new parameters.
---
.../bash/shared.sh | 13 ++++++++-----
.../bash/shared.sh | 13 ++++++++-----
.../bash/shared.sh | 13 ++++++++-----
.../bash/shared.sh | 13 ++++++++-----
.../bash/shared.sh | 14 ++++++++------
.../fix_audit_syscall_rule.sh | 8 +++++---
6 files changed, 45 insertions(+), 29 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh
index a89cb10e13d..cee43a0a104 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh
@@ -13,10 +13,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- GROUP="modules"
- PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module \(-F key=\|-k \).*"
- FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -k modules"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="init_module finit_module delete_module"
+ KEY="modules"
+ SYSCALL_GROUPING="init_module finit_module delete_module"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh
index 7dabc28d807..7e0e101f754 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh
@@ -13,10 +13,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*"
- GROUP="modules"
- FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="delete_module"
+ KEY="modules"
+ SYSCALL_GROUPING="delete_module"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh
index 6e8df8c5095..1b2854d9c61 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh
@@ -13,10 +13,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*"
- GROUP="modules"
- FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="finit_module"
+ KEY="modules"
+ SYSCALL_GROUPING="init_module finit_module"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh
index 437127f4553..3bb7f89d37c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh
@@ -13,10 +13,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*"
- GROUP="modules"
- FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="init_module"
+ KEY="modules"
+ SYSCALL_GROUPING="init_module finit_module"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
index 4e4869a83a7..3c5e593dc5e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -9,13 +9,15 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
- # Use escaped BRE regex to specify rule group
- GROUP="set\(host\|domain\)name"
- FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="sethostname setdomainname"
+ KEY="audit_rules_networkconfig_modification"
+ SYSCALL_GROUPING="sethostname setdomainname"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
# Then perform the remediations for the watch rules
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index c8492149ad9..5cc130a0236 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -194,13 +194,15 @@ then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [[ ${syscall_a} ]]
then
- local syscall_filters=""
+ local syscall_string=""
for syscall in "${syscall_a[@]}"
do
- syscall_filters+="-S $syscall "
+ syscall_string+=" -S $syscall"
done
fi
- local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key"
+ local other_string=$([[ $other_filters ]] && echo " $other_filters")
+ local auid_string=$([[ $auid_filters ]] && echo " $auid_filters")
+ local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}"
echo "$full_rule" >> "$default_file"
else
# Check if the syscalls are declared as a comma separated list or
From 8c4984428445376dd1ddb03947deda2d73321972 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 Aug 2021 18:59:47 +0200
Subject: [PATCH 11/31] Move suid_privileged_function to new
fix_audit_sycall_rule
The OVAL check was also updated to accept the key as a Field parameter.
---
.../bash/shared.sh | 26 ++++++++++++-------
.../oval/shared.xml | 16 ++++++------
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
index 561c8f74a8f..3976979360c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
@@ -9,20 +9,26 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0"
- GROUP="privileged"
- FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0 -k setuid"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-C uid!=euid -F euid=0"
+ AUID_FILTERS=""
+ SYSCALL="execve"
+ KEY="setuid"
+ SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0"
- GROUP="privileged"
- FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0 -k setgid"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-C gid!=egid -F egid=0"
+ AUID_FILTERS=""
+ SYSCALL="execve"
+ KEY="setgid"
+ SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
index 9247d81b89c..5115eb6c8c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
@@ -30,7 +30,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_uid_privileged_function_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -39,7 +39,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_uid_privileged_function_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -48,7 +48,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_uid_privileged_function_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -57,7 +57,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_uid_privileged_function_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -66,7 +66,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_gid_privileged_function_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -75,7 +75,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_gid_privileged_function_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -84,7 +84,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_gid_privileged_function_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -93,7 +93,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_gid_privileged_function_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From ed948b76b8ce20179a00622b9e04a4d4cd32850f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 Aug 2021 09:45:42 +0200
Subject: [PATCH 12/31] Update remediarions for time syscalls rules
Update rules audit_rules_time_clock_settime and bash shared
remediation perform_audit_adjtimex_settimeofday_stime_remediation
to group their syscalls.
---
.../bash/shared.sh | 13 ++++++++-----
..._adjtimex_settimeofday_stime_remediation.sh | 18 +++++++++++-------
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
index ffddb94df69..0d51b6b9400 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
@@ -9,10 +9,13 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*"
- GROUP="clock_settime"
- FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F a0=0x0"
+ AUID_FILTERS=""
+ SYSCALL="clock_settime"
+ KEY="time-change"
+ SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
index be1425b454c..ca3ccc37513 100644
--- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
@@ -19,24 +19,28 @@ function perform_audit_adjtimex_settimeofday_stime_remediation {
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
# Create expected audit group and audit rule form for particular system call & architecture
if [ ${ARCH} = "b32" ]
then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
# so append it to the list of time group system calls to be audited
- GROUP="\(adjtimex\|settimeofday\|stime\)"
- FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
+ SYSCALL="adjtimex settimeofday stime"
+ SYSCALL_GROUPING="adjtimex settimeofday stime"
elif [ ${ARCH} = "b64" ]
then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore don't add it to the list of time group system calls to be audited
- GROUP="\(adjtimex\|settimeofday\)"
- FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
+ SYSCALL="adjtimex settimeofday"
+ SYSCALL_GROUPING="adjtimex settimeofday"
fi
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ KEY="audit_time_rules"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
done
}
From 8af4ced71baa5794bfa9be2cfcf9a9519066e597 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 11:50:46 +0200
Subject: [PATCH 13/31] Improve audit syscall rule macro to group syscalls
The macros now group the syscall rule according to the grouping argument
The Ansible macros follow same argument pattern as the Bash remediations
(soon to become macros).
---
.../ansible/shared.yml | 36 ++-
.../ansible/shared.yml | 36 ++-
.../ansible/shared.yml | 36 ++-
.../ansible/shared.yml | 36 ++-
.../ansible/shared.yml | 36 ++-
.../audit_rules_time_stime/ansible/shared.yml | 18 +-
shared/macros-ansible.jinja | 220 +++++++++---------
7 files changed, 292 insertions(+), 126 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index 8421076fbb3..905c14feb82 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -15,11 +15,39 @@
- name: Perform remediation of Audit rules for kernel module loading for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=audit_syscalls,
+ key="modules",
+ syscall_grouping=audit_syscalls,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=audit_syscalls,
+ key="modules",
+ syscall_grouping=audit_syscalls,
+ )|indent(4) }}}
- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=audit_syscalls,
+ key="modules",
+ syscall_grouping=audit_syscalls,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=audit_syscalls,
+ key="modules",
+ syscall_grouping=audit_syscalls,
+ )|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
index fa07d5bf944..b5262d795c6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
@@ -13,13 +13,41 @@
- name: Remediate audit rules for network configuration for x86
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["sethostname", "setdomainname"],
+ key="audit_rules_networkconfig_modification",
+ syscall_grouping=["sethostname", "setdomainname"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["sethostname", "setdomainname"],
+ key="audit_rules_networkconfig_modification",
+ syscall_grouping=["sethostname", "setdomainname"],
+ )|indent(4) }}}
- name: Remediate audit rules for network configuration for x86_64
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["sethostname", "setdomainname"],
+ key="audit_rules_networkconfig_modification",
+ syscall_grouping=["sethostname", "setdomainname"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["sethostname", "setdomainname"],
+ key="audit_rules_networkconfig_modification",
+ syscall_grouping=["sethostname", "setdomainname"],
+ )|indent(4) }}}
when: audit_arch == "b64"
# remediate watches
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
index 921b8e34cb2..a5d7cc5e0aa 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
@@ -10,11 +10,39 @@
- name: Perform remediation of Audit rules for adjtimex for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["adjtimex"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["adjtimex"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
- name: Perform remediation of Audit rules for adjtimex for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["adjtimex"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["adjtimex"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
index e77850fa251..c07ee41fe03 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
@@ -12,11 +12,39 @@
- name: Perform remediation of Audit rules for clock_settime for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F a0=0x0",
+ auid_filters="",
+ syscalls=["clock_settime"],
+ key="time-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F a0=0x0",
+ auid_filters="",
+ syscalls=["clock_settime"],
+ key="time-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
- name: Perform remediation of Audit rules for clock_settime for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F a0=0x0",
+ auid_filters="",
+ syscalls=["clock_settime"],
+ key="time-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F a0=0x0",
+ auid_filters="",
+ syscalls=["clock_settime"],
+ key="time-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
index b1a25c2776d..e4be5e2406f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
@@ -10,11 +10,39 @@
- name: Perform remediation of Audit rules for settimeofday for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["settimeofday"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["settimeofday"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
- name: Perform remediation of Audit rules for settimeofday for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["settimeofday"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["settimeofday"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
index b57c71ce21f..96fc5c15655 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
@@ -6,5 +6,19 @@
- name: Perform remediation of Audit rules for stime syscall for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["stime"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["stime"],
+ key="audit_time_rules",
+ syscall_grouping=["adjtimex", "settimeofday", "stime"],
+ )|indent(4) }}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 116077b9a52..5e120deee58 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -385,135 +385,147 @@ The macro requires following parameters:
{{#
The following macro remediates Audit syscall rule in /etc/audit/rules.d directory.
The macro requires following parameters:
-- arch: an architecture to be used in the Audit rule (b32, b64)
-- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
-- key: a key to use as rule identifier.
-- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
- Add them in the order you expect them to be in the audit rule.
-Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
+- action_arch_filters: The action and arch filters of the rule
+ For example, "-a always,exit -F arch=b64"
+- other_filters: Other filters that may characterize the rule:
+ For example, "-F a2&03 -F path=/etc/passwd"
+- auid_filters: The auid filters of the rule
+ For example, "-F auid>=1000 -F auid!=unset"
+- syscalls: List of syscalls to ensure presense among audit rules
+ For example, "['fchown', 'lchown', 'fchownat']"
+- syscall_groupings: List of other syscalls that can be grouped with 'syscalls'
+ For example, "['fchown', 'lchown', 'fchownat']"
+- key: The key to use when appending a new rule
#}}
-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}}
-- name: Declare list of syscals
+{{% macro ansible_audit_augenrules_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}}
+{{% if other_filters != "" %}}
+ {{% set other_filters = " " ~ other_filters %}}
+{{% endif %}}
+{{% if auid_filters != "" %}}
+ {{% set auid_filters = " " ~ auid_filters %}}
+{{% endif %}}
+- name: Declare list of syscalls
set_fact:
syscalls: {{{ syscalls }}}
+ syscall_grouping: {{{ syscall_grouping }}}
-- name: Declare number of syscalls
- set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
+- name: Check existence of syscalls for in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ syscall_grouping }}'
-{{#
-This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope.
-See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments
-#}}
-{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}}
-{{% for field in fields %}}
- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
- {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}}
-{{% endfor %}}
+- name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}"
+ loop: "{{ find_command.results | selectattr('matched') | list}}"
-- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
- find:
- paths: "/etc/audit/rules.d"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "*.rules"
- register: audit_syscalls_found_{{{ arch }}}_rules_d
- loop: "{{ syscalls }}"
+- name: Declare files where syscalls where found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"
-- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
- set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{ audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}"
+- name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}"
+ loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"
-- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
- find:
- paths: "/etc/audit/rules.d"
- contains: '^.*(?:-F key=|-k\s+){{{ key }}}$'
- patterns: "*.rules"
- register: find_syscalls_files
+- name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
+ when: found_paths | length >= 1
-- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/{{{ key }}}.rules
- when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0
+- name: No file with syscall found, set path to /etc/audit/rules.d/{{{ key }}}.rules
+ set_fact: audit_file="/etc/audit/rules.d/{{{ key }}}.rules"
+ when: found_paths | length == 0
-- name: Use matched file as the recipient for the rule
+- name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}"
+
+- name: Declare missing syscalls
set_fact:
- all_files:
- - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}"
- when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0
+ missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-- name: "Insert the syscall rule in {{ all_files[0] }}"
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch={{{ arch }}}"
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}"
- loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add fields and key"
- set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}"
- - name: "Insert the line in {{ all_files[0] }}"
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls
+- name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)'
+ line: '\1\2\3{{ missing_syscalls | join("\3") }}\4'
+ backrefs: yes
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+- name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
+ create: true
+ state: present
+ when: syscalls_found | length == 0
{{%- endmacro %}}
{{#
The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.
The macro requires following parameters:
-- arch: an architecture to be used in the Audit rule (b32, b64)
-- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
-- key: a key to use as rule identifier.
-- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
- Add them in the order you expect them to be in the audit rule.
+- action_arch_filters: The action and arch filters of the rule
+ For example, "-a always,exit -F arch=b64"
+- other_filters: Other filters that may characterize the rule:
+ For example, "-F a2&03 -F path=/etc/passwd"
+- auid_filters: The auid filters of the rule
+ For example, "-F auid>=1000 -F auid!=unset"
+- syscalls: List of syscalls to ensure presense among audit rules
+ For example, "['fchown', 'lchown', 'fchownat']"
+- syscall_groupings: List of other syscalls that can be grouped with 'syscalls'
+ For example, "['fchown', 'lchown', 'fchownat']"
+- key: The key to use when appending a new rule
#}}
-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}}
-- name: Declare list of syscals
+{{% macro ansible_audit_auditctl_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}}
+{{% if other_filters!= "" %}}
+ {{% set other_filters = " " ~ other_filters %}}
+{{% endif %}}
+{{% if auid_filters!= "" %}}
+ {{% set auid_filters = " " ~ auid_filters %}}
+{{% endif %}}
+- name: Declare list of syscalls
set_fact:
syscalls: {{{ syscalls }}}
+ syscall_grouping: {{{ syscall_grouping }}}
+
+- name: Check existence of syscalls for in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit
+ contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
+ patterns: 'audit.rules'
+ register: find_command
+ loop: '{{ syscall_grouping }}'
-- name: Declare number of syscalls
- set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
+- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
-{{#
-This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope.
-See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments
-#}}
-{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}}
-{{% for field in fields %}}
- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
- {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}}
-{{% endfor %}}
+- name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}"
-- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
- find:
- paths: "/etc/audit"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "audit.rules"
- register: audit_syscalls_found_{{{ arch }}}_audit_rules
- loop: "{{ syscalls }}"
+- name: Declare missing syscalls
+ set_fact:
+ missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
- set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}"
+- name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)'
+ line: '\1\2\3{{ missing_syscalls | join("\3") }}\4'
+ backrefs: yes
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+- name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
+ create: true
+ state: present
+ when: syscalls_found | length == 0
+- name: Declare list of syscals
+ set_fact:
+ syscalls: {{{ syscalls }}}
-- name: Insert the syscall rule in /etc/audit/audit.rules
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch={{{ arch }}}"
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}"
- loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add fields and key"
- set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}"
- - name: Insert the line in /etc/audit/audit.rules
- lineinfile:
- path: "/etc/audit/audit.rules"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls
{{%- endmacro %}}
{{% macro ansible_sssd_ldap_config(parameter, value) -%}}
From a355d5b5578477a4464023dccccdb474ff571768 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 14:35:17 +0200
Subject: [PATCH 14/31] Move template audit_rules_path_syscall to Ansible macro
---
.../audit_rules_path_syscall/ansible.template | 100 +++++++-----------
.../audit_rules_path_syscall/template.py | 7 ++
2 files changed, 44 insertions(+), 63 deletions(-)
diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template
index d519609fa02..20440a36237 100644
--- a/shared/templates/audit_rules_path_syscall/ansible.template
+++ b/shared/templates/audit_rules_path_syscall/ansible.template
@@ -11,67 +11,41 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-#
-# Inserts/replaces the rule in /etc/audit/rules.d
-#
-- name: Search /etc/audit/rules.d for other DAC audit rules
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*"
- patterns: "*.rules"
- register: find_{{{ SYSCALL }}}
-
-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/modify.rules
- when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}"
- when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched > 0
-
-- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ item }}"
- create: yes
- regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
- with_items:
- - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
-
-- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ item }}"
- create: yes
- regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
- with_items:
- - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
- when: audit_arch is defined and audit_arch == 'b64'
-#
-# Inserts/replaces the rule in /etc/audit/audit.rules
-#
-- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86
- lineinfile:
- line: "{{ item }}"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
- with_items:
- - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F "~POS~"&03 -F path="~PATH,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="modify",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F "~POS~"&03 -F path="~PATH,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="modify",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
-- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64
- lineinfile:
- line: "{{ item }}"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
- with_items:
- - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F "~POS~"&03 -F path="~PATH,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="modify",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F "~POS~"&03 -F path="~PATH,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="modify",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py
index 7e0877a02b9..c13f34b94e0 100644
--- a/shared/templates/audit_rules_path_syscall/template.py
+++ b/shared/templates/audit_rules_path_syscall/template.py
@@ -11,4 +11,11 @@ def preprocess(data, lang):
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ elif lang == "ansible":
+ if "syscall" in data:
+ # Tranform the syscall into a Ansible list
+ data["syscall"] = [ data["syscall"] ]
+ if "syscall_grouping" not in data:
+ # Ensure that syscall_grouping is a list
+ data["syscall_grouping"] = []
return data
From 27d64329d2d9d3cdac03f0a46866f99c299b430d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 16:37:12 +0200
Subject: [PATCH 15/31] Move template audit_rules_dac_modification to Ansible
macro
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
---
.../ansible.template | 152 ++++++++----------
.../audit_rules_dac_modification/template.py | 7 +
2 files changed, 76 insertions(+), 83 deletions(-)
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index d048978456d..d2ce6c50052 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -11,91 +11,77 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-#
-# Inserts/replaces the rule in /etc/audit/rules.d
-#
-- name: Search /etc/audit/rules.d for other DAC audit rules
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: "-F key=perm_mod$"
- patterns: "*.rules"
- register: find_{{{ ATTR }}}
-
-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/privileged.rules
- when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}"
- when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched > 0
-
-- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
- create: yes
-
+- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
{{%- if CHECK_ROOT_USER %}}
-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
- create: yes
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid=0",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid=0",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
{{%- endif %}}
-- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
-
-{{%- if CHECK_ROOT_USER %}}
-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
-{{%- endif %}}
-#
-# Inserts/replaces the rule in /etc/audit/audit.rules
-#
-- name: Inserts/replaces the {{{ ATTR }}} rule in /etc/audit/audit.rules when on x86
- lineinfile:
- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
-
-{{%- if CHECK_ROOT_USER %}}
-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86
- lineinfile:
- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
-{{%- endif %}}
-
-- name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64
- lineinfile:
- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
-
+- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
{{%- if CHECK_ROOT_USER %}}
-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64
- lineinfile:
- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid=0",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid=0",
+ syscalls=ATTR,
+ key="perm_mod",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
{{%- endif %}}
+ when: audit_arch == "b64"
diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py
index 7dc53e81f7d..eebd0b6f4ee 100644
--- a/shared/templates/audit_rules_dac_modification/template.py
+++ b/shared/templates/audit_rules_dac_modification/template.py
@@ -7,5 +7,12 @@ def preprocess(data, lang):
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ elif lang == "ansible":
+ if "attr" in data:
+ # Tranform the syscall into a Ansible list
+ data["attr"] = [ data["attr"] ]
+ if "syscall_grouping" not in data:
+ # Ensure that syscall_grouping is a list
+ data["syscall_grouping"] = []
return data
From cd507f507d3fb756c49e4ca19d47f17d951e1a9f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 16:59:48 +0200
Subject: [PATCH 16/31] Move template
audit_rules_unsuccessfull_file_modification to Ansible macro
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
---
.../ansible.template | 102 +++++++-----------
.../template.py | 8 ++
2 files changed, 47 insertions(+), 63 deletions(-)
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
index 8e8e003a5b0..cb5decc6a6e 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
@@ -11,67 +11,43 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-#
-# Inserts/replaces the rule in /etc/audit/rules.d
-#
-- name: Search /etc/audit/rules.d for other DAC audit rules
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: "-F key=perm_mod$"
- patterns: "*.rules"
- register: find_{{{ NAME }}}
-
-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/access.rules
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ item }}"
- create: yes
- with_items:
- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ item }}"
- create: yes
- with_items:
- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- when: audit_arch is defined and audit_arch == 'b64'
-#
-# Inserts/replaces the rule in /etc/audit/audit.rules
-#
-- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86
- lineinfile:
- line: "{{ item }}"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- with_items:
- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"
+{{% for EXIT_CODE in ["EACCES","EPERM"] %}}
+- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F exit=-"~EXIT_CODE,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="access",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="-F exit=-"~EXIT_CODE,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="access",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64
- lineinfile:
- line: "{{ item }}"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- with_items:
- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access"
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F exit=-"~EXIT_CODE,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="access",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="-F exit=-"~EXIT_CODE,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="access",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ when: audit_arch == "b64"
+{{% endfor %}}
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
index a4e58609f66..62abfad9a2c 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
@@ -6,6 +6,14 @@ def _audit_rules_unsuccessful_file_modification(data, lang):
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ elif lang == "ansible":
+ if "name" in data:
+ # Tranform the syscall into a Ansible list
+ # The syscall is under 'name'
+ data["name"] = [ data["name"] ]
+ if "syscall_grouping" not in data:
+ # Ensure that syscall_grouping is a list
+ data["syscall_grouping"] = []
return data
From 52dcdb4be6c1b450bfb074684b4657a40963e752 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 17:34:26 +0200
Subject: [PATCH 17/31] Add syscall_groups to unsuccessful_file_mofication
rules
The groupings were based on the rule description.
---
.../rule.yml | 7 +++++++
.../rule.yml | 5 +++++
.../rule.yml | 7 +++++++
.../rule.yml | 7 +++++++
.../rule.yml | 5 +++++
.../rule.yml | 5 +++++
.../rule.yml | 7 +++++++
.../rule.yml | 5 +++++
.../rule.yml | 7 +++++++
.../rule.yml | 5 +++++
.../rule.yml | 5 +++++
.../rule.yml | 6 ++++++
.../rule.yml | 7 +++++++
.../rule.yml | 5 +++++
.../rule.yml | 5 +++++
15 files changed, 88 insertions(+)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml
index 7cf5855bcae..ddfe1e9d6c3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml
index 090463bd402..6ca6e27b24d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml
@@ -51,3 +51,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml
index fc2b945ef9b..1a93b4537e0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml
index e4da28ec070..dd77cd60639 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml
index 69a9ddf72b1..3e5da890340 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml
@@ -51,3 +51,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml
index 7da6b8a4d73..76f0e177b67 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml
@@ -51,3 +51,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml
index eaa9f32081f..bf1ff86737c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: fsetxattr
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml
index 84c71963545..3d42cea2ac1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml
@@ -55,3 +55,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml
index 1de114c65d5..e388ec2d69e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: lsetxattr
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml
index 0aac53c1d2f..ae390fc9904 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml
@@ -64,3 +64,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: rename
+ syscall_grouping:
+ - rename
+ - renameat
+ - unlink
+ - unlinkat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml
index 81bb79b5589..ab5d3b8d7b3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml
@@ -64,3 +64,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: renameat
+ syscall_grouping:
+ - rename
+ - renameat
+ - unlink
+ - unlinkat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml
index 57dc243760d..f0c7e1a9ca9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml
@@ -49,3 +49,9 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: renameat2
+ syscall_grouping:
+ - rename
+ - renameat
+ - renameat2
+ - unlink
+ - unlinkat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml
index a406dba0e8d..a45d0cdac86 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml
@@ -51,3 +51,10 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: setxattr
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+ - fsetxattr
+ - lsetxattr
+ - setxattr
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml
index 55f4582ba74..c78957bab21 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml
@@ -66,3 +66,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: unlink
+ syscall_grouping:
+ - rename
+ - renameat
+ - unlink
+ - unlinkat
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml
index 0a672366fe8..8fa62518cb5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml
@@ -66,3 +66,8 @@ template:
name: audit_rules_unsuccessful_file_modification
vars:
name: unlinkat
+ syscall_grouping:
+ - rename
+ - renameat
+ - unlink
+ - unlinkat
From bc7152399c205b25c9a471deffc0497d26896cd7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 17:45:45 +0200
Subject: [PATCH 18/31] Move template audit_rules_privileged_commands to
Ansible macro
Update the macros to handle better empty syscalls parameter.
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
---
shared/macros-ansible.jinja | 14 ++++-
.../ansible.template | 56 +++++++------------
.../template.py | 4 ++
3 files changed, 35 insertions(+), 39 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 5e120deee58..a067742b1f4 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -404,6 +404,11 @@ The macro requires following parameters:
{{% if auid_filters != "" %}}
{{% set auid_filters = " " ~ auid_filters %}}
{{% endif %}}
+{{% if syscalls == [] %}}
+ {{% set syscall_flag = "" %}}
+{{% else %}}
+ {{% set syscall_flag = " -S " %}}
+{{% endif %}}
- name: Declare list of syscalls
set_fact:
syscalls: {{{ syscalls }}}
@@ -455,7 +460,7 @@ The macro requires following parameters:
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
- line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
+ line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
state: present
when: syscalls_found | length == 0
@@ -483,6 +488,11 @@ The macro requires following parameters:
{{% if auid_filters!= "" %}}
{{% set auid_filters = " " ~ auid_filters %}}
{{% endif %}}
+{{% if syscalls == [] %}}
+ {{% set syscall_flag = "" %}}
+{{% else %}}
+ {{% set syscall_flag = " -S " %}}
+{{% endif %}}
- name: Declare list of syscalls
set_fact:
syscalls: {{{ syscalls }}}
@@ -518,7 +528,7 @@ The macro requires following parameters:
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
- line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
+ line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
state: present
when: syscalls_found | length == 0
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index 06154e10ceb..b1788b59b8a 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,5 +1,5 @@
{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
- {{%- set perm_x="-F perm=x " %}}
+ {{%- set perm_x=" -F perm=x" %}}
{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
@@ -7,39 +7,21 @@
# complexity = low
# disruption = low
-# Inserts/replaces the rule in /etc/audit/rules.d
-
-- name: Search /etc/audit/rules.d for audit rule entries
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: "^.*path={{{ PATH }}}.*$"
- patterns: "*.rules"
- register: find_{{{ NAME }}}
-
-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/privileged.rules
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
-
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d
- lineinfile:
- path: "{{ all_files[0] }}"
- line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
- create: yes
-
-# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
- create: yes
+- name: Perform remediattion of Audit rules for {{{ PATH }}}
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit",
+ other_filters="-F path="~PATH~perm_x,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="privileged",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit",
+ other_filters="-F path="~PATH~perm_x,
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=SYSCALL,
+ key="privileged",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py
index 43302a6690a..0cf6cba79cc 100644
--- a/shared/templates/audit_rules_privileged_commands/template.py
+++ b/shared/templates/audit_rules_privileged_commands/template.py
@@ -19,4 +19,8 @@ def preprocess(data, lang):
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ elif lang == "ansible":
+ # This template does not use the 'syscall' parameters
+ data["syscall"] = []
+ data["syscall_grouping"] = []
return data
From 93e082296abbaa4f62e1352e4240c72ade510740 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 18:15:50 +0200
Subject: [PATCH 19/31] Move template audit_rules_file_deletion_events to
Ansible macro
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
---
.../ansible.template | 88 ++++++++-----------
.../template.py | 8 ++
2 files changed, 45 insertions(+), 51 deletions(-)
diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
index 12d6088ecea..ec732133838 100644
--- a/shared/templates/audit_rules_file_deletion_events/ansible.template
+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
@@ -11,55 +11,41 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-#
-# Inserts/replaces the rule in /etc/audit/rules.d
-#
-- name: Search /etc/audit/rules.d for other DAC audit rules
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: "-F key=delete$"
- patterns: "*.rules"
- register: find_{{{ NAME }}}
-
-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/delete.rules
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"
- create: yes
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
-#
-# Inserts/replaces the rule in /etc/audit/audit.rules
-#
-- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86
- lineinfile:
- line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
+- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="delete",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="delete",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64
- lineinfile:
- line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete"
- state: present
- dest: /etc/audit/audit.rules
- create: yes
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="delete",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=NAME,
+ key="delete",
+ syscall_grouping=SYSCALL_GROUPING,
+ )|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py
index 7be137c1eb9..1141a99826b 100644
--- a/shared/templates/audit_rules_file_deletion_events/template.py
+++ b/shared/templates/audit_rules_file_deletion_events/template.py
@@ -6,6 +6,14 @@ def _audit_rules_file_deletion_events(data, lang):
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+ elif lang == "ansible":
+ if "name" in data:
+ # Tranform the syscall into a Ansible list
+ # The syscall is under 'name'
+ data["name"] = [ data["name"] ]
+ if "syscall_grouping" not in data:
+ # Ensure that syscall_grouping is a list
+ data["syscall_grouping"] = []
return data
From 5db4692a9efd86713e79c6fb72f87bf4898338e9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:16:54 +0200
Subject: [PATCH 20/31] Update Ansible audit_rules_kernel_module_loading_* to
use macros
Update remediation of following rules to use Ansible macro syscall rule
- audit_rules_kernel_module_loading_delete
- audit_rules_kernel_module_loading_finit
- audit_rules_kernel_module_loading_init
---
.../ansible/shared.yml | 89 ++++++++-----------
.../ansible/shared.yml | 89 ++++++++-----------
.../ansible/shared.yml | 88 ++++++++----------
3 files changed, 114 insertions(+), 152 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
index 60f477ac355..863ba6f0134 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
@@ -10,54 +10,41 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-# Inserts/replaces the rule in /etc/audit/rules.d
-
-- name: Search /etc/audit/rules.d for audit rule entries
- find:
- paths: /etc/audit/rules.d
- recurse: false
- contains: ^.*delete_module.*$
- patterns: '*.rules'
- register: find_delete_module
-
-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/privileged.rules
- when: find_delete_module.matched is defined and find_delete_module.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}'
- when: find_delete_module.matched is defined and find_delete_module.matched > 0
-
-- name: Inserts/replaces the delete_module rule in rules.d
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b32 -S delete_module -k module-change'
- state: present
- create: true
-
-- name: Inserts/replaces the delete_module rule in rules.d on x86_64
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b64 -S delete_module -k module-change'
- state: present
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
-
-# Inserts/replaces the delete_modules rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the delete_module rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b32 -S delete_module -k module-change'
- create: true
-
-- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b64 -S delete_module -k module-change'
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for delete_module for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["delete_module"],
+ key="module-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["delete_module"],
+ key="module-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+
+- name: Perform remediattion of Audit rules for delete_module for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["delete_module"],
+ key="module-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["delete_module"],
+ key="module-change",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
index 3f3c3e3d947..268f0a57f11 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
@@ -10,54 +10,41 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-# Inserts/replaces the rule in /etc/audit/rules.d
-
-- name: Search /etc/audit/rules.d for audit rule entries
- find:
- paths: /etc/audit/rules.d
- recurse: false
- contains: ^.*finit_module.*$
- patterns: '*.rules'
- register: find_finit_module
-
-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/privileged.rules
- when: find_finit_module.matched is defined and find_finit_module.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}'
- when: find_finit_module.matched is defined and find_finit_module.matched > 0
-
-- name: Inserts/replaces the finit_module rule in rules.d
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b32 -S finit_module -k module-change'
- state: present
- create: true
-
-- name: Inserts/replaces the finit_module rule in rules.d on x86_64
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b64 -S finit_module -k module-change'
- state: present
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
-
-# Inserts/replaces the finit_modules rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the finit_module rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b32 -S finit_module -k module-change'
- create: true
-
-- name: Inserts/replaces the finit_module rule in audit.rules when on x86_64
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b64 -S finit_module -k module-change'
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for finit_module for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["finit_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["finit_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+
+- name: Perform remediattion of Audit rules for finit_module for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["finit_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["finit_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
index 3f58125065b..2155a1835c6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
@@ -10,53 +10,41 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-# Inserts/replaces the rule in /etc/audit/rules.d
-
-- name: Search /etc/audit/rules.d for audit rule entries
- find:
- paths: /etc/audit/rules.d
- recurse: false
- contains: ^.*init_module.*$
- patterns: '*.rules'
- register: find_init_module
-
-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/privileged.rules
- when: find_init_module.matched is defined and find_init_module.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - '{{ find_init_module.files | map(attribute=''path'') | list | first }}'
- when: find_init_module.matched is defined and find_init_module.matched > 0
-
-- name: Inserts/replaces the init_module rule in rules.d
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b32 -S init_module -k module-change'
- state: present
- create: true
-
-- name: Inserts/replaces the init_module rule in rules.d on x86_64
- lineinfile:
- path: '{{ all_files[0] }}'
- line: '-a always,exit -F arch=b64 -S init_module -k module-change'
- state: present
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
-
-# Inserts/replaces the init_modules rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the init_module rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b32 -S init_module -k module-change'
- create: true
-- name: Inserts/replaces the init_module rule in audit.rules when on x86_64
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F arch=b64 -S init_module -k module-change'
- create: true
- when: audit_arch is defined and audit_arch == 'b64'
+- name: Perform remediattion of Audit rules for init_module for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["init_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b32",
+ other_filters="",
+ auid_filters="",
+ syscalls=["init_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+
+- name: Perform remediattion of Audit rules for init_module for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["init_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit -F arch=b64",
+ other_filters="",
+ auid_filters="",
+ syscalls=["init_module"],
+ key="module-change",
+ syscall_grouping=["init_module","finit_module"],
+ )|indent(4) }}}
+ when: audit_arch == "b64"
From 98843a14147ea7db9d6ef96580ed4b8e9c15f67f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:31:15 +0200
Subject: [PATCH 21/31] Update directory_access_var_log_audit to use Ansible
macro
Also fix a bug in Bash remediation, there should be no arch.
---
.../ansible/shared.yml | 51 +++++++------------
.../bash/shared.sh | 2 +-
2 files changed, 19 insertions(+), 34 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
index 31b65a0833c..bc6e929372f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
@@ -3,36 +3,21 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Search /etc/audit/rules.d for audit rule entries
- find:
- paths: /etc/audit/rules.d
- recurse: false
- contains: ^.*dir=/var/log/audit/.*$
- patterns: '*.rules'
- register: find_var_log_audit
-
-- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/access-audit-trail.rules
- when: find_var_log_audit.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}'
- when: find_var_log_audit.matched > 0
-
-- name: Inserts/replaces the /var/log/audit/ rule in rules.d
- lineinfile:
- path: '{{ all_files[0] }}'
- line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
- -F key=access-audit-trail
- create: true
-
-- name: Inserts/replaces the /var/log/audit/ rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
- -F key=access-audit-trail
- create: true
+- name: Perform remediattion of Audit rules for /var/log/audit
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(
+ action_arch_filters="-a always,exit",
+ other_filters="-F dir=/var/log/audit/ -F perm=r",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=[],
+ key="access-audit-trail",
+ syscall_grouping=[],
+ )|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(
+ action_arch_filters="-a always,exit",
+ other_filters="-F dir=/var/log/audit/ -F perm=r",
+ auid_filters="-F auid>="~auid~" -F auid!=unset",
+ syscalls=[],
+ key="access-audit-trail",
+ syscall_grouping=[],
+ )|indent(4) }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
index 0c4e8ffdbd3..a8e4a71a9f8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
@@ -3,7 +3,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r"
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
SYSCALL=""
From 78664de349a993b36f02c17e25c5042ed075d9a7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:38:39 +0200
Subject: [PATCH 22/31] Python style fixes
---
shared/templates/audit_rules_dac_modification/template.py | 2 +-
shared/templates/audit_rules_file_deletion_events/template.py | 3 +--
shared/templates/audit_rules_path_syscall/template.py | 2 +-
.../audit_rules_unsuccessful_file_modification/template.py | 3 +--
4 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py
index eebd0b6f4ee..17187826e62 100644
--- a/shared/templates/audit_rules_dac_modification/template.py
+++ b/shared/templates/audit_rules_dac_modification/template.py
@@ -10,7 +10,7 @@ def preprocess(data, lang):
elif lang == "ansible":
if "attr" in data:
# Tranform the syscall into a Ansible list
- data["attr"] = [ data["attr"] ]
+ data["attr"] = [data["attr"]]
if "syscall_grouping" not in data:
# Ensure that syscall_grouping is a list
data["syscall_grouping"] = []
diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py
index 1141a99826b..4916d892521 100644
--- a/shared/templates/audit_rules_file_deletion_events/template.py
+++ b/shared/templates/audit_rules_file_deletion_events/template.py
@@ -10,7 +10,7 @@ def _audit_rules_file_deletion_events(data, lang):
if "name" in data:
# Tranform the syscall into a Ansible list
# The syscall is under 'name'
- data["name"] = [ data["name"] ]
+ data["name"] = [data["name"]]
if "syscall_grouping" not in data:
# Ensure that syscall_grouping is a list
data["syscall_grouping"] = []
@@ -19,4 +19,3 @@ def _audit_rules_file_deletion_events(data, lang):
def preprocess(data, lang):
return _audit_rules_file_deletion_events(data, lang)
-
diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py
index c13f34b94e0..0f2966335b0 100644
--- a/shared/templates/audit_rules_path_syscall/template.py
+++ b/shared/templates/audit_rules_path_syscall/template.py
@@ -14,7 +14,7 @@ def preprocess(data, lang):
elif lang == "ansible":
if "syscall" in data:
# Tranform the syscall into a Ansible list
- data["syscall"] = [ data["syscall"] ]
+ data["syscall"] = [data["syscall"]]
if "syscall_grouping" not in data:
# Ensure that syscall_grouping is a list
data["syscall_grouping"] = []
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
index 62abfad9a2c..dd9714457a2 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py
@@ -10,7 +10,7 @@ def _audit_rules_unsuccessful_file_modification(data, lang):
if "name" in data:
# Tranform the syscall into a Ansible list
# The syscall is under 'name'
- data["name"] = [ data["name"] ]
+ data["name"] = [data["name"]]
if "syscall_grouping" not in data:
# Ensure that syscall_grouping is a list
data["syscall_grouping"] = []
@@ -19,4 +19,3 @@ def _audit_rules_unsuccessful_file_modification(data, lang):
def preprocess(data, lang):
return _audit_rules_unsuccessful_file_modification(data, lang)
-
From 16df69710c8872bd6d348a60a0542fb2cafb0dc3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 18 Aug 2021 10:22:32 +0200
Subject: [PATCH 23/31] Fix typo in Ansible remediarion for
unsuccessful_file_modification
---
.../audit_rules_unsuccessful_file_modification/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
index bf931e46430..5cb4dbe6f4a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
@@ -12,7 +12,7 @@ do
# First fix the -EACCES requirement
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
- OTHER_FILTERS="-F exit=EACCES"
+ OTHER_FILTERS="-F exit=-EACCES"
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
KEY="access"
@@ -24,7 +24,7 @@ do
# Then fix the -EPERM requirement
# No need to change content of $GROUP variable - it's the same as for -EACCES case above
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
- OTHER_FILTERS="-F exit=EPERM"
+ OTHER_FILTERS="-F exit=-EPERM"
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
KEY="access"
From d761a6498f8e3e64810e7b06cbf04837d0ae8975 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 18 Aug 2021 10:23:50 +0200
Subject: [PATCH 24/31] Check all relevant syscalls in Ansible macro
The Ansible macros for audit syscall rules should check the target
syscall and the groupable syscalls during 'find' task.
When 'syscall_grouping' was empty, the remediation would simply
execute the 'Add a new rule' task.
If the key was different, a new duplicate rule would be added.
Also removes extra syscalls declaration task.
---
shared/macros-ansible.jinja | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index a067742b1f4..1af5ed3dd95 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -420,7 +420,7 @@ The macro requires following parameters:
contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
patterns: '*.rules'
register: find_command
- loop: '{{ syscall_grouping }}'
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}"
@@ -504,7 +504,7 @@ The macro requires following parameters:
contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
patterns: 'audit.rules'
register: find_command
- loop: '{{ syscall_grouping }}'
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules
set_fact: audit_file="/etc/audit/audit.rules"
@@ -532,10 +532,6 @@ The macro requires following parameters:
create: true
state: present
when: syscalls_found | length == 0
-- name: Declare list of syscals
- set_fact:
- syscalls: {{{ syscalls }}}
-
{{%- endmacro %}}
{{% macro ansible_sssd_ldap_config(parameter, value) -%}}
From 2a2697e49809f14c0f1af81940c6198691e9af94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 18 Aug 2021 10:35:10 +0200
Subject: [PATCH 25/31] Improve task titles of audit macros and templates
---
shared/macros-ansible.jinja | 6 +++---
.../templates/audit_rules_dac_modification/ansible.template | 6 +++---
.../audit_rules_file_deletion_events/ansible.template | 6 +++---
shared/templates/audit_rules_path_syscall/ansible.template | 6 +++---
.../ansible.template | 6 +++---
5 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 1af5ed3dd95..b5574da29ac 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -414,7 +414,7 @@ The macro requires following parameters:
syscalls: {{{ syscalls }}}
syscall_grouping: {{{ syscall_grouping }}}
-- name: Check existence of syscalls for in /etc/audit/rules.d/
+- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
@@ -498,7 +498,7 @@ The macro requires following parameters:
syscalls: {{{ syscalls }}}
syscall_grouping: {{{ syscall_grouping }}}
-- name: Check existence of syscalls for in /etc/audit/rules.d/
+- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$'
@@ -506,7 +506,7 @@ The macro requires following parameters:
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
-- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules
+- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index d2ce6c50052..ea6fd94ff4b 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -7,11 +7,11 @@
#
# What architecture are we on?
#
-- name: Set architecture for audit {{{ ATTR }}} tasks
+- name: Set architecture for audit {{{ ATTR | join(", ") }}} tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform
+- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -48,7 +48,7 @@
)|indent(4) }}}
{{%- endif %}}
-- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform
+- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
index ec732133838..0044dc459dc 100644
--- a/shared/templates/audit_rules_file_deletion_events/ansible.template
+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
@@ -7,11 +7,11 @@
#
# What architecture are we on?
#
-- name: Set architecture for audit {{{ NAME }}} tasks
+- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform
+- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -30,7 +30,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform
+- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template
index 20440a36237..2875aff3573 100644
--- a/shared/templates/audit_rules_path_syscall/ansible.template
+++ b/shared/templates/audit_rules_path_syscall/ansible.template
@@ -7,11 +7,11 @@
#
# What architecture are we on?
#
-- name: Set architecture for audit {{{ SYSCALL }}} tasks
+- name: Set architecture for audit {{{ SYSCALL | join(", ") }}} tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform
+- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -30,7 +30,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform
+- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
index cb5decc6a6e..a8fdc3978b1 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
@@ -7,12 +7,12 @@
#
# What architecture are we on?
#
-- name: Set architecture for audit {{{ NAME }}} tasks
+- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
{{% for EXIT_CODE in ["EACCES","EPERM"] %}}
-- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform
+- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE}}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -31,7 +31,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform
+- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
From 6dd2a0388e025bbbb00bea15c999cc09e140afce Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 18 Aug 2021 13:49:07 +0200
Subject: [PATCH 26/31] Fix typo in audit task block title
---
.../ansible/shared.yml | 4 ++--
.../ansible/shared.yml | 4 ++--
.../audit_rules_kernel_module_loading_init/ansible/shared.yml | 4 ++--
.../directory_access_var_log_audit/ansible/shared.yml | 2 +-
.../templates/audit_rules_dac_modification/ansible.template | 4 ++--
.../audit_rules_file_deletion_events/ansible.template | 4 ++--
shared/templates/audit_rules_path_syscall/ansible.template | 4 ++--
.../audit_rules_privileged_commands/ansible.template | 2 +-
.../ansible.template | 2 +-
9 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
index 863ba6f0134..f5469c0ebf9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
@@ -10,7 +10,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for delete_module for x86 platform
+- name: Perform remediation of Audit rules for delete_module for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -29,7 +29,7 @@
syscall_grouping=[],
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for delete_module for x86_64 platform
+- name: Perform remediation of Audit rules for delete_module for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
index 268f0a57f11..2e0780af564 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
@@ -10,7 +10,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for finit_module for x86 platform
+- name: Perform remediation of Audit rules for finit_module for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -29,7 +29,7 @@
syscall_grouping=["init_module","finit_module"],
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for finit_module for x86_64 platform
+- name: Perform remediation of Audit rules for finit_module for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
index 2155a1835c6..6f6bd1826bc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
@@ -10,7 +10,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for init_module for x86 platform
+- name: Perform remediation of Audit rules for init_module for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -29,7 +29,7 @@
syscall_grouping=["init_module","finit_module"],
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for init_module for x86_64 platform
+- name: Perform remediation of Audit rules for init_module for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
index bc6e929372f..ec17adf5525 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Perform remediattion of Audit rules for /var/log/audit
+- name: Perform remediation of Audit rules for /var/log/audit
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit",
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index ea6fd94ff4b..2c006b451c4 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -11,7 +11,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform
+- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -48,7 +48,7 @@
)|indent(4) }}}
{{%- endif %}}
-- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform
+- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
index 0044dc459dc..3bb07579463 100644
--- a/shared/templates/audit_rules_file_deletion_events/ansible.template
+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
@@ -11,7 +11,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform
+- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -30,7 +30,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform
+- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template
index 2875aff3573..fcd2bda3bab 100644
--- a/shared/templates/audit_rules_path_syscall/ansible.template
+++ b/shared/templates/audit_rules_path_syscall/ansible.template
@@ -11,7 +11,7 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform
+- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -30,7 +30,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform
+- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index b1788b59b8a..e9ef084984a 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -7,7 +7,7 @@
# complexity = low
# disruption = low
-- name: Perform remediattion of Audit rules for {{{ PATH }}}
+- name: Perform remediation of Audit rules for {{{ PATH }}}
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit",
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
index a8fdc3978b1..6cf90e11863 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
@@ -31,7 +31,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform
+- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
From fe88dfbf2b4c7acd0a196512d2868f19b9b89f33 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 18 Aug 2021 17:21:32 +0200
Subject: [PATCH 27/31] Reset the tracking of syscalls found per file
When running a playbook profile, they were accumulating over the entire
run.
---
shared/macros-ansible.jinja | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index b5574da29ac..b26966238a2 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -422,15 +422,20 @@ The macro requires following parameters:
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
+- name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
- name: Declare syscalls found per file
- set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}"
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: "{{ find_command.results | selectattr('matched') | list}}"
- name: Declare files where syscalls where found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
- set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}"
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"
- name: Get path with most syscalls
From 34a66912886e979fac132346074e556c36336b0c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Aug 2021 12:32:25 +0200
Subject: [PATCH 28/31] Create audit rules without permissions for others
---
shared/bash_remediation_functions/fix_audit_syscall_rule.sh | 1 +
shared/macros-ansible.jinja | 2 ++
2 files changed, 3 insertions(+)
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
index 5cc130a0236..d95aedba395 100644
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -204,6 +204,7 @@ then
local auid_string=$([[ $auid_filters ]] && echo " $auid_filters")
local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}"
echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index b26966238a2..6c9c53a07db 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -467,6 +467,7 @@ The macro requires following parameters:
path: '{{ audit_file }}'
line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
+ mode: o-rwx
state: present
when: syscalls_found | length == 0
{{%- endmacro %}}
@@ -535,6 +536,7 @@ The macro requires following parameters:
path: '{{ audit_file }}'
line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
+ mode: o-rwx
state: present
when: syscalls_found | length == 0
{{%- endmacro %}}
From 181a0f9aacbcf7340ce0931907bd7ae1db0cf478 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Aug 2021 14:48:08 +0200
Subject: [PATCH 29/31] Remove trailing space from perm field
Otherwise the rule will be added with two spaces between other_filters
and auid_filters.
---
shared/templates/audit_rules_privileged_commands/bash.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index b5879085a45..5af362df800 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,5 +1,5 @@
{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
- {{%- set perm_x=" -F perm=x " %}}
+ {{%- set perm_x=" -F perm=x" %}}
{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
From c94454fd4409b69e24012b006266637e17982be8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Aug 2021 14:54:57 +0200
Subject: [PATCH 30/31] Fix typos in task titles
---
shared/macros-ansible.jinja | 2 +-
.../audit_rules_file_deletion_events/ansible.template | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6c9c53a07db..ed3881d054c 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -431,7 +431,7 @@ The macro requires following parameters:
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: "{{ find_command.results | selectattr('matched') | list}}"
-- name: Declare files where syscalls where found
+- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
index 3bb07579463..f09ce12d87a 100644
--- a/shared/templates/audit_rules_file_deletion_events/ansible.template
+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
@@ -7,11 +7,11 @@
#
# What architecture are we on?
#
-- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks
+- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform
+- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b32",
@@ -30,7 +30,7 @@
syscall_grouping=SYSCALL_GROUPING,
)|indent(4) }}}
-- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform
+- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86_64 platform
block:
{{{ ansible_audit_augenrules_add_syscall_rule(
action_arch_filters="-a always,exit -F arch=b64",
From a5e99060b4856298ffc9f2a75a611a2eefb9b4de Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Aug 2021 15:35:25 +0200
Subject: [PATCH 31/31] Fix Ansible linter issue
Variables should have spaces before and after
---
shared/macros-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index ed3881d054c..b9536439c50 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -429,7 +429,7 @@ The macro requires following parameters:
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
- loop: "{{ find_command.results | selectattr('matched') | list}}"
+ loop: "{{ find_command.results | selectattr('matched') | list }}"
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"