From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001 From: Marek Haicman Date: Thu, 22 Feb 2018 22:49:54 +0100 Subject: [PATCH 1/2] Fix kernel module loading and unloading rules Fixed rule descriptions to make more sense, and fixing remediation of general rule to set auditing of both b32 and b64 syscalls on 64-bit systems. --- .../bash/audit_rules_kernel_module_loading.sh | 10 +- .../audit_rules_kernel_module_loading_delete.sh | 8 +- .../bash/audit_rules_kernel_module_loading_init.sh | 8 +- shared/xccdf/system/auditing.xml | 161 ++++++++++----------- 4 files changed, 91 insertions(+), 96 deletions(-) diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh index 12d6dd0181..268da407f7 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh @@ -5,11 +5,11 @@ # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => -# it's not required on a 64-bit system to check also for the presence -# of 32-bit's equivalent of the corresponding rule. Therefore for -# each system it's enought to check presence of system's native rule form. -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh index 59aadeeef8..131f1a2819 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh @@ -5,10 +5,10 @@ # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# If the system has a 32-bit processor, only the 32-bit rule is needed. -# If the system has a 64-bit processor, both arch 32 and 64 need to be included in -# the audit file because it is not possible to know if the computer will be booted -# in 64 or 32 bit mode or for which architecture a binary is compiled. +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh index 04b06f9dee..c46a854068 100644 --- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh @@ -5,10 +5,10 @@ # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# If the system has a 32-bit processor, only the 32-bit rule is needed. -# If the system has a 64-bit processor, both arch 32 and 64 need to be included in -# the audit file because it is not possible to know if the computer will be booted -# in 64 or 32 bit mode or for which architecture a binary is compiled. +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml index 85487ee417..b68820fe9b 100644 --- a/shared/xccdf/system/auditing.xml +++ b/shared/xccdf/system/auditing.xml @@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

-Additionally, a properly configured audit subsystem ensures that actions of +Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. @@ -727,7 +727,7 @@ with limited audit storage capacity. - + @@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes. Record Information on Kernel Modules Loading and Unloading -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-w /usr/sbin/insmod -p x -k modules
--w /usr/sbin/rmmod -p x -k modules
--w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: -
-w /usr/sbin/insmod -p x -k modules
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-w /usr/sbin/insmod -p x -k modules
 -w /usr/sbin/rmmod -p x -k modules
 -w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules +
+ +Place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules.
Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-w /usr/sbin/insmod -p x -k modules
--w /usr/sbin/rmmod -p x -k modules
--w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: -
-w /usr/sbin/insmod -p x -k modules
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-w /usr/sbin/insmod -p x -k modules
 -w /usr/sbin/rmmod -p x -k modules
 -w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules +
+ +Place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules.
@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel. -Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S init_module -F key=modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module +To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules.
-The addition/removal of kernel modules can be used to alter the behavior of +The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. @@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel. -Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S delete_module -F key=modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module +To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules.
-The addition/removal of kernel modules can be used to alter the behavior of +The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. @@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel. -Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-w /usr/sbin/insmod -p x -k modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod +To capture invocation of insmod, utility used to insert modules into kernel, +use the following line:
-w /usr/sbin/insmod -p x -k modules
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules.
To verify that auditing is configured for system administrator actions, run the following command:
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
-The addition/removal of kernel modules can be used to alter the behavior of +The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. @@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel. -Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-w /usr/sbin/rmmod -p x -k modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod +To capture invocation of rmmod, utility used to remove modules from kernel, +add the following line:
-w /usr/sbin/rmmod -p x -k modules
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules.
To verify that auditing is configured for system administrator actions, run the following command:
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
-The addition/removal of kernel modules can be used to alter the behavior of +The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. @@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel. Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe -If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -
-w /usr/sbin/modprobe -p x -k modules
-If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +To capture invocation of modprobe, utility used to insert / remove modules from kernel, +add the following line:
-w /usr/sbin/modprobe -p x -k modules
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules.
To verify that auditing is configured for system administrator actions, run the following command: From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001 From: Marek Haicman Date: Thu, 22 Feb 2018 23:13:29 +0100 Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading rules --- .../rule_audit_rules_kernel_module_loading/default.fail.sh | 7 +++++++ .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh | 7 +++++++ .../rule_audit_rules_kernel_module_loading_init/default.fail.sh | 7 +++++++ .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh | 7 +++++++ .../default.fail.sh | 7 +++++++ .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh | 7 +++++++ 6 files changed, 42 insertions(+) create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh new file mode 100644 index 0000000000..48457258e5 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_C2S +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh new file mode 100644 index 0000000000..12fe012776 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh new file mode 100644 index 0000000000..12fe012776 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh new file mode 100644 index 0000000000..12fe012776 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh new file mode 100644 index 0000000000..12fe012776 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh new file mode 100644 index 0000000000..12fe012776 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +# remediation = bash + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules +true