rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch
Blob Blame History Raw 
From 0be72ebcc3b8782ed617a8e99b1f188e4072f8a2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 17 Apr 2020 14:51:57 +0200
Subject: [PATCH 1/5] create tests

---
 .../tests/auditctl_correct.pass.sh                         | 6 ++++++
 .../tests/auditctl_missing.fail.sh                         | 6 ++++++
 .../tests/auditctl_wrong_value.fail.sh                     | 7 +++++++
 .../tests/augen_correct.pass.sh                            | 3 +++
 .../tests/augen_missing.fail.sh                            | 3 +++
 .../tests/augen_wrong_value.fail.sh                        | 4 ++++
 6 files changed, 29 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
new file mode 100644
index 0000000000..398980456a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh
new file mode 100644
index 0000000000..733436ecaf
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "some value" > /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh
new file mode 100644
index 0000000000..9ef870a12b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..a814e1b7ea
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh
new file mode 100644
index 0000000000..0997495e4b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh
new file mode 100644
index 0000000000..2208fcd089
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
+echo "-w /etc/group -p w -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules

From 62aa3afacab14b888da8b8af28ac60d10c400c7f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 17 Apr 2020 15:15:10 +0200
Subject: [PATCH 2/5] add ansible remediation

---
 .../ansible/shared.yml                        | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
new file mode 100644
index 0000000000..c2e0aa856d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
@@ -0,0 +1,46 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+
+#
+# Inserts/replaces the rule in /etc/audit/rules.d
+#
+- name: Search /etc/audit/rules.d for other MAC modification audit rules
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: "-k MAC-policy$"
+    patterns: "*.rules"
+  register: find_mac
+
+- name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
+  set_fact:
+    all_files:
+      - /etc/audit/rules.d/MAC-policy.rules
+  when: find_mac.matched is defined and find_mac.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_files:
+      - "{{ find_mac.files | map(attribute='path') | list | first }}"
+  when: find_mac.matched is defined and find_mac.matched > 0
+
+- name: Inserts/replaces the MAC modification rule in rules.d
+  lineinfile:
+    path: "{{ all_files[0] }}"
+    line: "-w /etc/selinux/ -p wa -k MAC-policy"
+    create: yes
+
+
+#   
+# Inserts/replaces the rule in /etc/audit/audit.rules
+#
+- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules
+  lineinfile:
+    line: "-w /etc/selinux/ -p wa -k MAC-policy"
+    state: present
+    dest: /etc/audit/audit.rules
+    create: yes

From 2d84f563fc8f083e0356b82dced0cc5f4960bcf6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 20 Apr 2020 15:55:11 +0200
Subject: [PATCH 3/5] check for already existing rule before remediation

---
 .../ansible/shared.yml                        | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
index c2e0aa856d..656707eafc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
@@ -4,35 +4,52 @@
 # complexity = low
 # disruption = low
 
+- name: detect if rule does not already exist in /etc/audit/rules.d/*
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
+    patterns: "*.rules"
+  register: find_existing_rules_d
+
+- name: detect if rule does not already exist in /etc/audit/audit.rules
+  find:
+    paths: "/etc/audit/"
+    contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
+    patterns: "audit.rules"
+  register: find_existing_audit_rules
+
 
 #
 # Inserts/replaces the rule in /etc/audit/rules.d
 #
-- name: Search /etc/audit/rules.d for other MAC modification audit rules
+- name: Search /etc/audit/rules.d for other rules with MAC-policy key
   find:
     paths: "/etc/audit/rules.d"
     recurse: no
     contains: "-k MAC-policy$"
     patterns: "*.rules"
   register: find_mac
+  when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
 
 - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
   set_fact:
     all_files:
       - /etc/audit/rules.d/MAC-policy.rules
-  when: find_mac.matched is defined and find_mac.matched == 0
+  when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
 
 - name: Use matched file as the recipient for the rule
   set_fact:
     all_files:
       - "{{ find_mac.files | map(attribute='path') | list | first }}"
-  when: find_mac.matched is defined and find_mac.matched > 0
+  when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
 
 - name: Inserts/replaces the MAC modification rule in rules.d
   lineinfile:
     path: "{{ all_files[0] }}"
     line: "-w /etc/selinux/ -p wa -k MAC-policy"
     create: yes
+  when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
 
 
 #   
@@ -44,3 +61,4 @@
     state: present
     dest: /etc/audit/audit.rules
     create: yes
+  when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0

From db78a47435f5136ce3ab9f8593547630c5205e9a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 20 Apr 2020 17:07:59 +0200
Subject: [PATCH 4/5] feedback to review

anchoring regexes, name fixes
---
 .../ansible/shared.yml                        | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
index 656707eafc..8622138f82 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
@@ -4,20 +4,20 @@
 # complexity = low
 # disruption = low
 
-- name: detect if rule does not already exist in /etc/audit/rules.d/*
+- name: Check if rule does not already exist in /etc/audit/rules.d/*
   find:
     paths: "/etc/audit/rules.d"
     recurse: no
-    contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
+    contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
     patterns: "*.rules"
-  register: find_existing_rules_d
+  register: find_existing_mac_rules_d
 
-- name: detect if rule does not already exist in /etc/audit/audit.rules
+- name: Check if rule does not already exist in /etc/audit/audit.rules
   find:
     paths: "/etc/audit/"
-    contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
+    contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'
     patterns: "audit.rules"
-  register: find_existing_audit_rules
+  register: find_existing_mac_audit_rules
 
 
 #
@@ -29,27 +29,27 @@
     recurse: no
     contains: "-k MAC-policy$"
     patterns: "*.rules"
-  register: find_mac
-  when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
+  register: find_mac_key
+  when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0
 
 - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
   set_fact:
     all_files:
       - /etc/audit/rules.d/MAC-policy.rules
-  when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
+  when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0
 
 - name: Use matched file as the recipient for the rule
   set_fact:
     all_files:
-      - "{{ find_mac.files | map(attribute='path') | list | first }}"
-  when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
+      - "{{ find_mac_key.files | map(attribute='path') | list | first }}"
+  when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0
 
 - name: Inserts/replaces the MAC modification rule in rules.d
   lineinfile:
     path: "{{ all_files[0] }}"
     line: "-w /etc/selinux/ -p wa -k MAC-policy"
     create: yes
-  when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0
+  when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0
 
 
 #   
@@ -61,4 +61,4 @@
     state: present
     dest: /etc/audit/audit.rules
     create: yes
-  when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0
+  when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0

From ba04156742e3f577f4b4144136ccacb7edf034ae Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 21 Apr 2020 11:11:20 +0200
Subject: [PATCH 5/5] cosmetic fixes

---
 .../audit_rules_mac_modification/ansible/shared.yml       | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
index 8622138f82..65d935c8f4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml
@@ -4,7 +4,11 @@
 # complexity = low
 # disruption = low
 
-- name: Check if rule does not already exist in /etc/audit/rules.d/*
+#
+# check if rules already exist
+#
+
+- name: Check if rule already exists in /etc/audit/rules.d/*
   find:
     paths: "/etc/audit/rules.d"
     recurse: no
@@ -12,7 +16,7 @@
     patterns: "*.rules"
   register: find_existing_mac_rules_d
 
-- name: Check if rule does not already exist in /etc/audit/audit.rules
+- name: Check if rule already exists in /etc/audit/audit.rules
   find:
     paths: "/etc/audit/"
     contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+'

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation