OPENSCAP- 4949 - Change audit watches in rule audit_rules_sudoers #13218
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In RHEL 10, audit recommends to use a new type of audit rules for watches of login events. Old style watch rules are slower, for inspiration check: linux-audit/audit-userspace@614f7d1#diff-358ef6b204ee1b214ce4c8f9bdca09612bc86ed3de442374dd910d243ea33fa7R107 In this patch we extend the rules `audit_rules_login_events_faillock`, `audit_rules_login_events_lastlog` and `audit_rules_login_events_tallylog` to support this new type of audit watches. Using the new type of watches will be configured by product property `audit_watches_style` which can be set to `modern` or `legacy`. The default value is `legacy`. It will be set to `modern` in `rhel10` product and other products will use `legacy`. We won't change `audit_rules_login_events` and `audit_rules_login_events_faillog` because these rules aren't used in RHEL 10. We also update the test scenarios to cover both styles of audit watches.
Our templates `audit_rules_login_events` and `audit_rules_watch` are similar. This patch merges them to a single template `audit_rules_watch`. Then, it converts rules using the `audit_rules_login_events` template to use the `audit_rules_watch template` instead. This activity reduces code duplication. Also, this change makes it easier to convert rules to use the modern audit watches.
Unify rule descriptions of rules using the `audit_rules_watch` template. This reduces code duplication.
The rule audit_rules_sudoers will now use template audit_rules_watch instead of static checks and remediations. This change has 3 advantages: 1. reduces code duplication 2. adds support for modern style of audit watches to the rule 3. removes inconsistencies inside the rule
Create a Jinja macro for OCIL text for rules using the `audit_login_events` platform. This unifies code and reduces code duplication. The OCIL code will suppport the modern style watches.
jan-cerny
added
the
Update Rule
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -25,7 +25,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -33,7 +35,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -49,12 +53,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -102,7 +112,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -110,7 +122,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -126,12 +140,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -18,7 +18,8 @@
- reboot_required
- restrict_strategy
-- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls - Check if
+ watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
@@ -44,7 +45,8 @@
- reboot_required
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy
+- name: Record Events that Modify the System's Mandatory Access Controls - Search
+ /etc/audit/rules.d for other rules with specified key MAC-policy
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)MAC-policy$
@@ -72,7 +74,8 @@
- reboot_required
- restrict_strategy
-- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules
+ as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/MAC-policy.rules
@@ -98,7 +101,8 @@
- reboot_required
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls - Use matched
+ file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -124,7 +128,8 @@
- reboot_required
- restrict_strategy
-- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls - Add watch
+ rule for /etc/selinux/ in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/selinux/ -p wa -k MAC-policy
@@ -152,7 +157,8 @@
- reboot_required
- restrict_strategy
-- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls - Check if
+ watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
@@ -178,7 +184,8 @@
- reboot_required
- restrict_strategy
-- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls - Add watch
+ rule for /etc/selinux/ in /etc/audit/audit.rules
lineinfile:
line: -w /etc/selinux/ -p wa -k MAC-policy
state: present
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -25,7 +25,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -33,7 +35,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -49,12 +53,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -102,7 +112,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -110,7 +122,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -126,12 +140,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -15,7 +15,8 @@
- reboot_required
- restrict_strategy
-- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
@@ -38,7 +39,8 @@
- reboot_required
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Search /etc/audit/rules.d for other rules with specified key MAC-policy
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)MAC-policy$
@@ -63,7 +65,8 @@
- reboot_required
- restrict_strategy
-- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/MAC-policy.rules
@@ -86,7 +89,8 @@
- reboot_required
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -109,7 +113,8 @@
- reboot_required
- restrict_strategy
-- name: Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /usr/share/selinux/ -p wa -k MAC-policy
@@ -134,7 +139,8 @@
- reboot_required
- restrict_strategy
-- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
@@ -157,7 +163,8 @@
- reboot_required
- restrict_strategy
-- name: Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+ - Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules
lineinfile:
line: -w /usr/share/selinux/ -p wa -k MAC-policy
state: present
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -346,7 +346,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -354,7 +356,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -370,12 +374,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -394,7 +402,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -423,7 +433,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -431,7 +443,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -447,12 +461,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -478,7 +496,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -486,7 +506,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -502,12 +524,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -526,7 +552,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -555,7 +583,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -563,7 +593,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -579,12 +611,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -610,7 +646,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -618,7 +656,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -634,12 +674,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -658,7 +702,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -687,7 +733,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -695,7 +743,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -711,12 +761,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
@@ -743,7 +797,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -751,7 +807,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -767,12 +825,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -791,7 +853,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -820,7 +884,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -828,7 +894,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -844,12 +912,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -336,7 +336,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/issue already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
@@ -363,7 +364,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+ for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -392,8 +394,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
- recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+ as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -420,7 +422,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+ as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -447,7 +450,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/issue in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
@@ -476,7 +480,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/issue already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
@@ -503,7 +508,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/issue in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
state: present
@@ -533,7 +539,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/issue.net already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
@@ -560,7 +567,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+ for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -589,8 +597,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
- recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+ as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -617,7 +625,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+ as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -644,7 +653,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/issue.net in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
@@ -673,7 +683,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/issue.net already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
@@ -700,7 +711,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/issue.net in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
state: present
@@ -730,7 +742,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/hosts already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
@@ -757,7 +770,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+ for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -786,8 +800,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
- recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+ as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -814,7 +828,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+ as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -841,7 +856,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/hosts in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
@@ -870,7 +886,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/hosts already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
@@ -897,7 +914,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/hosts in /etc/audit/audit.rules
lineinfile:
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
state: present
@@ -927,7 +945,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
@@ -954,7 +973,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+ for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -983,8 +1003,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
- recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+ as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -1011,7 +1031,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+ as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -1038,7 +1059,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/sysconfig/network in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
@@ -1067,7 +1089,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
@@ -1094,7 +1117,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/sysconfig/network in /etc/audit/audit.rules
lineinfile:
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
state: present
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts'.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -3,14 +3,17 @@
Record Events that Modify the System's Network Environment
[description]:
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
+
-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules:
+
-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
[reference]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -1,5 +1,12 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+
+
+
+
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
@@ -24,7 +31,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network-scripts" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -32,7 +41,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -48,12 +59,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -72,7 +87,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network-scripts" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -101,7 +118,9 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network-scripts" "$audit_rules_file"
+
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -109,7 +128,9 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -125,12 +146,16 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
+
echo "-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts" >> "$audit_rules_file"
+
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -10,7 +10,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
@@ -28,7 +29,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_network_scripts
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+ for other rules with specified key audit_rules_networkconfig_modification_network_scripts
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$
@@ -48,7 +50,7 @@
- no_reboot_needed
- restrict_strategy
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
as the recipient for the rule
set_fact:
all_files:
@@ -67,7 +69,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+ as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -85,7 +88,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/sysconfig/network-scripts in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
@@ -105,7 +109,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+ rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
@@ -123,7 +128,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+ for /etc/sysconfig/network-scripts in /etc/audit/audit.rules
lineinfile:
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
state: present
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -25,36 +25,44 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
- then
- # Rule is found => verify yet if existing rule definition contains
- # all of the required access type bits
-
- # Define BRE whitespace class shortcut
- sp="[[:space:]]"
- # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
- # Split required access bits string into characters array
- # (to check bit's presence for one bit at a time)
- for access_bit in $(echo "wa" | grep -o .)
- do
- # For each from the required access bits (e.g. 'w', 'a') check
- # if they are already present in current access bits for rule.
- # If not, append that bit at the end
- if ! grep -q "$access_bit" <<< "$current_access_bits"
- then
- # Concatenate the existing mask with the missing bit
- current_access_bits="$current_access_bits$access_bit"
- fi
- done
- # Propagate the updated rule's access bits (original + the required
- # ones) back into the /etc/audit/audit.rules file for that rule
+
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
- else
- # Rule isn't present yet. Append it at the end of $audit_rules_file file
- # with proper key
+
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -102,36 +112,44 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
- then
- # Rule is found => verify yet if existing rule definition contains
- # all of the required access type bits
-
- # Define BRE whitespace class shortcut
- sp="[[:space:]]"
- # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
- # Split required access bits string into characters array
- # (to check bit's presence for one bit at a time)
- for access_bit in $(echo "wa" | grep -o .)
- do
- # For each from the required access bits (e.g. 'w', 'a') check
- # if they are already present in current access bits for rule.
- # If not, append that bit at the end
- if ! grep -q "$access_bit" <<< "$current_access_bits"
- then
- # Concatenate the existing mask with the missing bit
- current_access_bits="$current_access_bits$access_bit"
- fi
- done
- # Propagate the updated rule's access bits (original + the required
- # ones) back into the /etc/audit/audit.rules file for that rule
+
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
- else
- # Rule isn't present yet. Append it at the end of $audit_rules_file file
- # with proper key
+
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -157,36 +175,44 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
- then
- # Rule is found => verify yet if existing rule definition contains
- # all of the required access type bits
-
- # Define BRE whitespace class shortcut
- sp="[[:space:]]"
- # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
- # Split required access bits string into characters array
- # (to check bit's presence for one bit at a time)
- for access_bit in $(echo "wa" | grep -o .)
- do
- # For each from the required access bits (e.g. 'w', 'a') check
- # if they are already present in current access bits for rule.
- # If not, append that bit at the end
- if ! grep -q "$access_bit" <<< "$current_access_bits"
- then
- # Concatenate the existing mask with the missing bit
- current_access_bits="$current_access_bits$access_bit"
- fi
- done
- # Propagate the updated rule's access bits (original + the required
- # ones) back into the /etc/audit/audit.rules file for that rule
+
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
- else
- # Rule isn't present yet. Append it at the end of $audit_rules_file file
- # with proper key
+
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -205,7 +231,9 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules)
+
# For each of the matched entries
for match in "${matches[@]}"
@@ -234,36 +262,44 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
- then
- # Rule is found => verify yet if existing rule definition contains
- # all of the required access type bits
-
- # Define BRE whitespace class shortcut
- sp="[[:space:]]"
- # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
- # Split required access bits string into characters array
- # (to check bit's presence for one bit at a time)
- for access_bit in $(echo "wa" | grep -o .)
- do
- # For each from the required access bits (e.g. 'w', 'a') check
- # if they are already present in current access bits for rule.
- # If not, append that bit at the end
- if ! grep -q "$access_bit" <<< "$current_access_bits"
- then
- # Concatenate the existing mask with the missing bit
- current_access_bits="$current_access_bits$access_bit"
- fi
- done
- # Propagate the updated rule's access bits (original + the required
- # ones) back into the /etc/audit/audit.rules file for that rule
+
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+
sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
- else
- # Rule isn't present yet. Append it at the end of $audit_rules_file file
- # with proper key
+
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -289,36 +325,44 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
+
if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
- then
- # Rule is found => verify yet if existing rule definition contains
- # all of the required access type bits
-
- # Define BRE whitespace class shortcut
- sp="[[:space:]]"
- # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
- # Split required access bits string into characters array
- # (to check bit's presence for one bit at a time)
- for access_bit in $(echo "wa" | grep -o .)
- do
- # For each from the required access bits (e.g. 'w', 'a') check
- # if they are already present in current access bits for rule.
- # If not, append that bit at the end
- if ! grep -q "$access_bit" <<< "$current_access_bits"
- then
- # Concatenate the existing mask with the missing bit
-
... The diff is trimmed here ... |
|
Code Climate has analyzed commit 6515a69 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 62.0% (0.1% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is blocked by #13194 and will be rebased after #13194 is merged.
This PR updates rule
audit_rules_sudoers. Instead of static checks and remediations it will now use the templateaudit_rules_watch. This change has 3 advantages:For more information, please read commit messages of all commits.