From c0edf5074b0b8dd7ed7cfab74a8b4f278b0e51c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Apr 2020 12:57:58 +0200
Subject: [PATCH 1/2] add ansible remediation
---
.../audit_rules_session_events/ansible/shared.yml | 12 ++++++++++++
1 file changed, 12 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
new file mode 100644
index 0000000000..08694d3032
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}}
From b8d3dc253ee62a5c4e725b2a89ab6f22f4870e66 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Apr 2020 12:58:17 +0200
Subject: [PATCH 2/2] att tests
---
.../tests/auditctl_correct.pass.sh | 11 +++++++++++
.../tests/auditctl_rules_missing.fail.sh | 7 +++++++
.../tests/augen_correct.pass.ah | 9 +++++++++
.../tests/augen_partial_rules.fail.sh | 6 ++++++
.../tests/augen_rules_missing.fail.sh | 3 +++
5 files changed, 36 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh
new file mode 100644
index 0000000000..82d53db8e5
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules
+echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules
+echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh
new file mode 100644
index 0000000000..a9bac580e8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah
new file mode 100644
index 0000000000..32e5686026
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/session.rules
+echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/session.rules
+echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/session.rules
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh
new file mode 100644
index 0000000000..26862281f7
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
+rm -f /etc/audit/audit.rules
+
+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh
new file mode 100644
index 0000000000..0997495e4b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*