diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml new file mode 100644 index 0000000000..31b65a0833 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml @@ -0,0 +1,38 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*dir=/var/log/audit/.*$ + patterns: '*.rules' + register: find_var_log_audit + +- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access-audit-trail.rules + when: find_var_log_audit.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}' + when: find_var_log_audit.matched > 0 + +- name: Inserts/replaces the /var/log/audit/ rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset + -F key=access-audit-trail + create: true + +- name: Inserts/replaces the /var/log/audit/ rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset + -F key=access-audit-trail + create: true diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh new file mode 100644 index 0000000000..515bef7b85 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh @@ -0,0 +1,11 @@ +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8, multi_platform_fedora, multi_platform_ol,multi_platform_rhv + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*" +GROUP="access-audit-trail" +FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh index e9b1d56af3..2a8a51ff2e 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh index 1c68a3229b..ba4086d9b7 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh index 58ef8bc15f..891cddefb7 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh index 29f0f2d38e..18ca9936fa 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh index 82eae1895d..617e93d121 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules