From d5533786f8d34442754cf60234877f4f9768fdae Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 16 Apr 2020 11:35:14 +0200
Subject: [PATCH 1/4] add ansible remediation

---
 .../audit_rules_immutable/ansible/shared.yml  | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
new file mode 100644
index 0000000000..20266d394f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -0,0 +1,45 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: add /etc/audit/audit.rules to the list of files to be searched
+  set_fact:
+    files_to_search:
+      - /etc/audit/audit.rules
+
+- name: Search /etc/audit/rules.d  for files containing the -e option
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: true
+    contains: "-e[\\s]+.*"
+    patterns: "*.rules"
+  register: find_immutable
+
+- name: add found files to the list of files to be searched
+  set_fact:
+    files_to_search: "{{ files_to_search + [item.path] }}"
+  with_items: "{{ find_immutable.files }}"
+  when: find_immutable.matched is defined and find_immutable.matched >= 1
+
+- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory
+  lineinfile:
+    path: "{{ item }}"
+    regexp: "-e[\\s]+.*"
+    state: absent
+  with_items: "{{ files_to_search }}"
+
+- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules
+  blockinfile:
+    path: "{{ item }}"
+    create: True
+    marker: ""
+    block: |+
+      # Set the audit.rules configuration immutable per security requirements
+      # Reboot is required to change audit rules once this setting is applied
+      
+      -e 2
+  with_items:
+    - /etc/audit/audit.rules
+    - /etc/audit/rules.d/immutable.rules

From 8f1c60ba4efd625c2df20a109710e0dbf423e44a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 16 Apr 2020 11:35:37 +0200
Subject: [PATCH 2/4] add tests

---
 .../audit_rules_immutable/tests/auditctl_correct.pass.sh   | 6 ++++++
 .../audit_rules_immutable/tests/auditctl_missing.fail.sh   | 6 ++++++
 .../tests/auditctl_wrong_value.fail.sh                     | 7 +++++++
 .../audit_rules_immutable/tests/augen_correct.pass.sh      | 3 +++
 .../audit_rules_immutable/tests/augen_missing.fail.sh      | 3 +++
 .../audit_rules_immutable/tests/augen_wrong_value.fail.sh  | 4 ++++
 6 files changed, 29 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh
new file mode 100644
index 0000000000..36478840c1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-e 2" > /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh
new file mode 100644
index 0000000000..733436ecaf
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "some value" > /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh
new file mode 100644
index 0000000000..e3369107dd
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-e 1" > /etc/audit/audit.rules
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..fa5b7231df
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh
new file mode 100644
index 0000000000..0997495e4b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh
new file mode 100644
index 0000000000..a8c2d53830
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf /etc/audit/rules.d/*
+echo "-e 1" > /etc/audit/rules.d/immutable.rules

From 2bba06ada88cb359a19288725232e79387931aee Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 May 2020 15:29:10 +0200
Subject: [PATCH 3/4] do not use explaining comment in ansible remediation

---
 .../audit_rules_immutable/ansible/shared.yml  | 58 ++++++++++---------
 1 file changed, 32 insertions(+), 26 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 20266d394f..4e1b2f9569 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -1,45 +1,51 @@
 # platform = multi_platform_all
-# reboot = false
+# reboot = true
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-- name: add /etc/audit/audit.rules to the list of files to be searched
-  set_fact:
-    files_to_search:
-      - /etc/audit/audit.rules
+- name: Check if the file /etc/audit/audit.rules contains the -e option
+  find:
+    paths: "/etc/audit"
+    contains: '^\s*-e\s+.*$'
+    patterns: "audit.rules"
+  register: find_immutable_audit_rules
 
 - name: Search /etc/audit/rules.d  for files containing the -e option
   find:
     paths: "/etc/audit/rules.d"
-    recurse: true
-    contains: "-e[\\s]+.*"
+    contains: '^\s*-e\s+.*$'
     patterns: "*.rules"
-  register: find_immutable
+  register: find_immutable_rules_d
 
-- name: add found files to the list of files to be searched
-  set_fact:
-    files_to_search: "{{ files_to_search + [item.path] }}"
-  with_items: "{{ find_immutable.files }}"
-  when: find_immutable.matched is defined and find_immutable.matched >= 1
+- name: Construct list of Audit config files containing the -e option
+  block:
+    - name: Initialize empty list for files to be edited
+      set_fact:
+        files_to_edit: []
+    - name: Add matched files from /etc/audit/rules.d
+      set_fact:
+        files_to_edit: "{{ files_to_edit + [item.path] }}"
+      loop: "{{ find_immutable_rules_d.files }}"
+    - name: Add /etc/audit/audit.rules to the list of files
+      set_fact:
+        files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}"
+      when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1
+  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)
 
-- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory
+- name: Remove the -e option from all Audit config files
   lineinfile:
     path: "{{ item }}"
     regexp: "-e[\\s]+.*"
     state: absent
-  with_items: "{{ files_to_search }}"
+  loop: "{{ files_to_edit }}"
+  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)
 
-- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules
-  blockinfile:
+- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+  lineinfile:
     path: "{{ item }}"
     create: True
-    marker: ""
-    block: |+
-      # Set the audit.rules configuration immutable per security requirements
-      # Reboot is required to change audit rules once this setting is applied
-      
-      -e 2
-  with_items:
-    - /etc/audit/audit.rules
-    - /etc/audit/rules.d/immutable.rules
+    line: "-e 2"
+  loop:
+    - "/etc/audit/audit.rules"
+    - "/etc/audit/rules.d/immutable.rules"

From dbf87484436e142a771ebd22a1bada61a429cceb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 5 May 2020 14:44:24 +0200
Subject: [PATCH 4/4] simplify remediation

---
 .../audit_rules_immutable/ansible/shared.yml  | 34 +++----------------
 1 file changed, 5 insertions(+), 29 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 4e1b2f9569..5ac7b3dabb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -4,42 +4,18 @@
 # complexity = low
 # disruption = low
 
-- name: Check if the file /etc/audit/audit.rules contains the -e option
+- name: Collect all files from /etc/audit/rules.d with .rules extension
   find:
-    paths: "/etc/audit"
-    contains: '^\s*-e\s+.*$'
-    patterns: "audit.rules"
-  register: find_immutable_audit_rules
-
-- name: Search /etc/audit/rules.d  for files containing the -e option
-  find:
-    paths: "/etc/audit/rules.d"
-    contains: '^\s*-e\s+.*$'
+    paths: "/etc/audit/rules.d/"
     patterns: "*.rules"
-  register: find_immutable_rules_d
-
-- name: Construct list of Audit config files containing the -e option
-  block:
-    - name: Initialize empty list for files to be edited
-      set_fact:
-        files_to_edit: []
-    - name: Add matched files from /etc/audit/rules.d
-      set_fact:
-        files_to_edit: "{{ files_to_edit + [item.path] }}"
-      loop: "{{ find_immutable_rules_d.files }}"
-    - name: Add /etc/audit/audit.rules to the list of files
-      set_fact:
-        files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}"
-      when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1
-  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)
+  register: find_rules_d
 
 - name: Remove the -e option from all Audit config files
   lineinfile:
     path: "{{ item }}"
-    regexp: "-e[\\s]+.*"
+    regexp: '^\s*(?:-e)\s+.*$'
     state: absent
-  loop: "{{ files_to_edit }}"
-  when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1)
+  loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
 
 - name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
   lineinfile: