Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPENSCAP-4927 - Update audit_rules_media_export #13206

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OPENSCAP-4927 - Update audit_rules_media_export #13206

wants to merge 1 commit into from

Conversation

jan-cerny
Copy link
Collaborator

  • Update rule description because if you are on 64 bit architecture you should add 2 lines of audit rules - one with b32 and one with b64.
  • Align remediations, checks, tests, etc. with the rule description
  • Resolve inconsistencies with audit key.

@jan-cerny
Update audit_rules_media_export
55feef6 
- Update rule description because if you are on 64 bit architecture
  you should add 2 lines of audit rules - one with b32 and one with b64.
- Align remediations, checks, tests, etc. with the rule description
- Resolve inconsistencies with audit key.
@jan-cerny jan-cerny added Update Rule Issues or pull requests related to Rules updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Mar 20, 2025
@jan-cerny jan-cerny added this to the 0.1.77 milestone Mar 20, 2025
@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export'.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -7,13 +7,15 @@
 events for all users and root. If the auditd daemon is configured to
 use the augenrules program to read audit rules during daemon startup
 (the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+the directory /etc/audit/rules.d, setting ARCH to either b32 for
+32-bit system, or having two lines for both b32 and b64 in case your
+system is 64-bit:
 -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for
+32-bit system, or having two lines for both b32 and b64 in case your
+system is 64-bit:
 -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -11,7 +11,7 @@
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="mount"
-	KEY="perm_mod"
+	KEY="export"
 	SYSCALL_GROUPING=""
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -92,8 +92,8 @@
       | last).key }}"
     when: found_paths | length >= 1
 
-  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
-    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+  - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
+    set_fact: audit_file="/etc/audit/rules.d/export.rules"
     when: found_paths | length == 0
 
   - name: Declare found syscalls
@@ -119,7 +119,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
+        -F auid!=unset -F key=export
       create: true
       mode: g-rwx,o-rwx
       state: present
@@ -166,7 +166,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
+        -F auid!=unset -F key=export
       create: true
       mode: g-rwx,o-rwx
       state: present
@@ -237,8 +237,8 @@
       | last).key }}"
     when: found_paths | length >= 1
 
-  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
-    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+  - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
+    set_fact: audit_file="/etc/audit/rules.d/export.rules"
     when: found_paths | length == 0
 
   - name: Declare found syscalls
@@ -264,7 +264,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
+        -F auid!=unset -F key=export
       create: true
       mode: g-rwx,o-rwx
       state: present
@@ -311,7 +311,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
+        -F auid!=unset -F key=export
       create: true
       mode: g-rwx,o-rwx
       state: present

@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 20, 2025

Code Climate has analyzed commit 55feef6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@vojtapolasek vojtapolasek self-assigned this Mar 20, 2025
@vojtapolasek
Copy link
Collaborator

/packit retest-failed

vojtapolasek
vojtapolasek requested changes Mar 24, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I have only minor request, see the specific comment.

docs/templates/template_reference.md
@@ -40,6 +40,7 @@
- Parameters:

- **attr** - value of `-S` argument in Audit rule, eg. `chmod`
- **key** - audit key. If this isn't specified then the default value `perm_mod` is used.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should leave blank lines around list items.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@vojtapolasek vojtapolasek

Labels
RHEL10 Red Hat Enterprise Linux 10 product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.77
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @vojtapolasek