From 03c44366cd4bc16808e000eac7b3eb548851cb1a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 29 Apr 2020 10:59:43 +0200
Subject: [PATCH 1/4] Add Ansible remediations for syscall time changes
Uses Ansible audit macros to add remediations for:
- adjtimex
- settimeofday
- stime
---
.../ansible/shared.yml | 20 +++++++++++++++++++
.../ansible/shared.yml | 20 +++++++++++++++++++
.../audit_rules_time_stime/ansible/shared.yml | 14 +++++++++++++
3 files changed, 54 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
new file mode 100644
index 0000000000..2ecbf5f998
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Perform remediation of Audit rules for adjtimex for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+
+- name: Perform remediation of Audit rules for adjtimex for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
new file mode 100644
index 0000000000..e97a752298
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Perform remediation of Audit rules for settimeofday for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+
+- name: Perform remediation of Audit rules for settimeofday for x86_64 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
new file mode 100644
index 0000000000..b1e9380781
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Perform remediation of Audit rules for stime syscall for x86 platform
+ block:
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
From c004e5bdceb4a942585adff1cb085165e6dcbc1b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 29 Apr 2020 12:02:23 +0200
Subject: [PATCH 2/4] time_adjtimex: Rename, simplify and add tests
---
.../tests/correct_syscall.pass.sh | 7 +++++++
.../audit_rules_time_adjtimex/tests/correct_value.pass.sh | 8 --------
.../tests/line_not_there.fail.sh | 5 -----
.../tests/syscall_not_there.fail.sh | 5 +++++
4 files changed, 12 insertions(+), 13 deletions(-)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh
new file mode 100644
index 0000000000..51c8e8705e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_cis
+
+rm -rf /etc/audit/rules.d/*.rules
+echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules
+echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh
deleted file mode 100644
index d37d624763..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-if grep -qv "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" /etc/audit/rules.d/*.rules; then
- echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules
- echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules
-fi
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh
deleted file mode 100644
index bdf8c837f2..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-sed -i "/^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/d" /etc/audit/rules.d/*.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh
new file mode 100644
index 0000000000..73eec5e777
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_cis
+
+rm -rf /etc/audit/rules.d/*.rules
From f09c6fd53814d00d85a1ca311887dea11c48d3ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 30 Apr 2020 10:47:00 +0200
Subject: [PATCH 3/4] Add Ansible remedation to watch for time changes
---
.../audit_rules_time_watch_localtime/ansible/shared.yml | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml
new file mode 100644
index 0000000000..629dea88bb
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}}
From fe5e3be44528cd331ab7697daa2d0373e01d8d62 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 30 Apr 2020 16:32:08 +0200
Subject: [PATCH 4/4] Fix arch parameter and useless arch task
---
.../audit_rules_time_adjtimex/ansible/shared.yml | 4 ++--
.../audit_rules_time_settimeofday/ansible/shared.yml | 4 ++--
.../audit_rules_time_stime/ansible/shared.yml | 6 +-----
3 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
index 2ecbf5f998..921b8e34cb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml
@@ -10,11 +10,11 @@
- name: Perform remediation of Audit rules for adjtimex for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
- name: Perform remediation of Audit rules for adjtimex for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
index e97a752298..b1a25c2776 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml
@@ -10,11 +10,11 @@
- name: Perform remediation of Audit rules for settimeofday for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
- name: Perform remediation of Audit rules for settimeofday for x86_64 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}}
when: audit_arch == "b64"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
index b1e9380781..b57c71ce21 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml
@@ -4,11 +4,7 @@
# complexity = low
# disruption = low
-- name: Set architecture for audit tasks
- set_fact:
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-
- name: Perform remediation of Audit rules for stime syscall for x86 platform
block:
- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}