From f65d1b37c7433085f19dc10454067be7d0bfb180 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Mar 2020 16:27:53 +0100
Subject: [PATCH 1/3] Fix remediatino for /etc/sudoers.d/ and OVAL check

Add missing '/' to remediation and add OVAL checks for /etc/sudoers.d/.
---
 .../bash/shared.sh                            |  4 ++--
 .../oval/shared.xml                           | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
index 8e38874006..b6a4e7ef41 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
@@ -7,5 +7,5 @@
 fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
 fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
 
-fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions"
-fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions"
+fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions"
+fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
index 172d2216b2..136630e695 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
@@ -9,10 +9,12 @@
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
         <criterion comment="audit augenrules sudoers" test_ref="test_audit_rules_sysadmin_actions_sudoers_augenrules" />
+        <criterion comment="audit augenrules sudoers_d" test_ref="test_audit_rules_sysadmin_actions_sudoers_d_augenrules" />
       </criteria>
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
         <criterion comment="audit auditctl sudoers" test_ref="test_audit_rules_sysadmin_actions_sudoers_auditctl" />
+        <criterion comment="audit auditctl sudoers_d" test_ref="test_audit_rules_sysadmin_actions_sudoers_d_auditctl" />
       </criteria>
     </criteria>
   </definition>
@@ -26,6 +28,15 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
+    <ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_d_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
   <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sysadmin_actions_sudoers_auditctl" version="1">
     <ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_auditctl" />
   </ind:textfilecontent54_test>
@@ -35,4 +46,13 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
+    <ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_d_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
 </def-group>

From 2aa6680981aa0f730c671106ca019c357b3beba7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 13 Mar 2020 18:33:38 +0100
Subject: [PATCH 2/3] Add Ansible for audit_rules_sysadmin_actions

---
 .../ansible/shared.yml                        | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
new file mode 100644
index 0000000000..6700eea565
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
@@ -0,0 +1,53 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Inserts/replaces the rule in /etc/audit/rules.d
+
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: "^.*/etc/sudoers.*$"
+    patterns: "*.rules"
+  register: find_audit_sysadmin_actions
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - /etc/audit/rules.d/actions.rules
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
+
+- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d
+  lineinfile:
+    path: "{{ all_sysadmin_actions_files[0] }}"
+    line: '-w /etc/sudoers -p wa -k actions'
+    create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d
+  lineinfile:
+    path: "{{ all_sysadmin_actions_files[0] }}"
+    line: '-w /etc/sudoers.d/ -p wa -k actions'
+    create: yes
+
+# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
+
+- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /etc/sudoers -p wa -k actions'
+    create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /etc/sudoers.d/ -p wa -k actions'
+    create: yes

From 3d5cc1d32fa7c4e2c3de11d178c33459804d1a58 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 13 Mar 2020 18:42:05 +0100
Subject: [PATCH 3/3] Simple tests for audit_rules_sysadmin_actions

---
 .../audit_rules_sysadmin_actions/tests/correct.pass.sh        | 4 ++++
 .../audit_rules_sysadmin_actions/tests/empty.fail.sh          | 4 ++++
 .../audit_rules_sysadmin_actions/tests/missing_slash.fail.sh  | 4 ++++
 3 files changed, 12 insertions(+)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
new file mode 100644
index 0000000000..4d5f09b7b8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
@@ -0,0 +1,4 @@
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
+echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
new file mode 100644
index 0000000000..c14af6a088
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh
new file mode 100644
index 0000000000..09af980183
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh
@@ -0,0 +1,4 @@
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
+echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules