|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..ce7a936545
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule
|
|
|
28bffe |
@@ -0,0 +1,40 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Any Attempts to Run seunshare'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect any execution attempt
|
|
|
28bffe |
+ of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
|
|
|
28bffe |
+ daemon is configured to use the <tt>augenrules</tt> program to read audit rules
|
|
|
28bffe |
+ during daemon startup (the default), add the following lines to a file with suffix
|
|
|
28bffe |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that execution of the command is being audited, run the following command:
|
|
|
28bffe |
+ $ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ The output should return something similar to:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..6d1a5c909b
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule
|
|
|
28bffe |
@@ -0,0 +1,42 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - at'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect the execution of
|
|
|
28bffe |
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
|
|
|
28bffe |
+ configured to use the <tt>augenrules</tt> program to read audit rules during
|
|
|
28bffe |
+ daemon startup (the default), add a line of the following form to a file with
|
|
|
28bffe |
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add a line of the following
|
|
|
28bffe |
+ form to <tt>/etc/audit/audit.rules</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'it is not the case'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that auditing of privileged command use is configured, run the
|
|
|
28bffe |
+ following command:
|
|
|
28bffe |
+ $ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ It should return a relevant line in the audit rules.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8eb3f39f01
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule
|
|
|
28bffe |
@@ -0,0 +1,42 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect the execution of
|
|
|
28bffe |
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
|
|
|
28bffe |
+ configured to use the <tt>augenrules</tt> program to read audit rules during
|
|
|
28bffe |
+ daemon startup (the default), add a line of the following form to a file with
|
|
|
28bffe |
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add a line of the following
|
|
|
28bffe |
+ form to <tt>/etc/audit/audit.rules</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'it is not the case'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that auditing of privileged command use is configured, run the
|
|
|
28bffe |
+ following command:
|
|
|
28bffe |
+ $ sudo grep mount /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ It should return a relevant line in the audit rules.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..bd8dbcf1bd
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule
|
|
|
28bffe |
@@ -0,0 +1,42 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect the execution of
|
|
|
28bffe |
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
|
|
|
28bffe |
+ configured to use the <tt>augenrules</tt> program to read audit rules during
|
|
|
28bffe |
+ daemon startup (the default), add a line of the following form to a file with
|
|
|
28bffe |
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add a line of the following
|
|
|
28bffe |
+ form to <tt>/etc/audit/audit.rules</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'it is not the case'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that auditing of privileged command use is configured, run the
|
|
|
28bffe |
+ following command:
|
|
|
28bffe |
+ $ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ It should return a relevant line in the audit rules.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..199dc381a1
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule
|
|
|
28bffe |
@@ -0,0 +1,42 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect the execution of
|
|
|
28bffe |
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
|
|
|
28bffe |
+ configured to use the <tt>augenrules</tt> program to read audit rules during
|
|
|
28bffe |
+ daemon startup (the default), add a line of the following form to a file with
|
|
|
28bffe |
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add a line of the following
|
|
|
28bffe |
+ form to <tt>/etc/audit/audit.rules</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'it is not the case'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that auditing of privileged command use is configured, run the
|
|
|
28bffe |
+ following command:
|
|
|
28bffe |
+ $ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ It should return a relevant line in the audit rules.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..c574f82d25
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule
|
|
|
28bffe |
@@ -0,0 +1,42 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ At a minimum, the audit system should collect the execution of
|
|
|
28bffe |
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
|
|
|
28bffe |
+ configured to use the <tt>augenrules</tt> program to read audit rules during
|
|
|
28bffe |
+ daemon startup (the default), add a line of the following form to a file with
|
|
|
28bffe |
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add a line of the following
|
|
|
28bffe |
+ form to <tt>/etc/audit/audit.rules</tt>:
|
|
|
28bffe |
+ -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Misuse of privileged functions, either intentionally or unintentionally by
|
|
|
28bffe |
+ authorized users, or by unauthorized external entities that have compromised system accounts,
|
|
|
28bffe |
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
|
|
|
28bffe |
+ Auditing the use of privileged functions is one way to detect such misuse and identify
|
|
|
28bffe |
+ the risk from insider and advanced persistent threast.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ Privileged programs are subject to escalation-of-privilege attacks,
|
|
|
28bffe |
+ which attempt to subvert their normal role of providing some necessary but
|
|
|
28bffe |
+ limited capability. As such, motivation exists to monitor these programs for
|
|
|
28bffe |
+ unusual activity.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'it is not the case'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To verify that auditing of privileged command use is configured, run the
|
|
|
28bffe |
+ following command:
|
|
|
28bffe |
+ $ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
28bffe |
+ It should return a relevant line in the audit rules.
|
|
|
28bffe |
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
index 9802576814..270a94f85f 100644
|
|
|
28bffe |
--- a/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
+++ b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
@@ -121,6 +121,7 @@ selections:
|
|
|
28bffe |
- audit_rules_execution_restorecon
|
|
|
28bffe |
- audit_rules_execution_semanage
|
|
|
28bffe |
- audit_rules_execution_setsebool
|
|
|
28bffe |
+ - audit_rules_execution_seunshare
|
|
|
28bffe |
- audit_rules_mac_modification
|
|
|
28bffe |
- audit_rules_dac_modification_chown
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_chown
|
|
|
28bffe |
@@ -130,15 +131,20 @@ selections:
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_fchown
|
|
|
28bffe |
- audit_rules_dac_modification_lchown
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_lchown
|
|
|
28bffe |
+ - audit_rules_privileged_commands_at
|
|
|
28bffe |
+ - audit_rules_privileged_commands_mount
|
|
|
28bffe |
- audit_rules_privileged_commands_passwd
|
|
|
28bffe |
- audit_rules_privileged_commands_unix_chkpwd
|
|
|
28bffe |
- audit_rules_privileged_commands_userhelper
|
|
|
28bffe |
+ - audit_rules_privileged_commands_usernetctl
|
|
|
28bffe |
- audit_rules_privileged_commands_chage
|
|
|
28bffe |
- audit_rules_privileged_commands_chsh
|
|
|
28bffe |
- audit_rules_privileged_commands_pt_chown
|
|
|
28bffe |
- audit_rules_sysadmin_actions
|
|
|
28bffe |
- audit_rules_privileged_commands_gpasswd
|
|
|
28bffe |
+ - audit_rules_privileged_commands_newgidmap
|
|
|
28bffe |
- audit_rules_privileged_commands_newgrp
|
|
|
28bffe |
+ - audit_rules_privileged_commands_newuidmap
|
|
|
28bffe |
- audit_rules_usergroup_modification_group
|
|
|
28bffe |
- audit_rules_usergroup_modification_gshadow
|
|
|
28bffe |
- audit_rules_usergroup_modification_opasswd
|
|
|
28bffe |
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
28bffe |
index 73a08dd98a..3fd55c84d4 100644
|
|
|
28bffe |
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
28bffe |
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
28bffe |
@@ -79,7 +79,7 @@ do
|
|
|
28bffe |
local count_of_inspected_files=0
|
|
|
28bffe |
|
|
|
28bffe |
# Define expected rule form for this binary
|
|
|
28bffe |
- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged"
|
|
|
28bffe |
+ expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
|
|
|
28bffe |
|
|
|
28bffe |
# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
|
|
|
28bffe |
if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
|
|
|
28bffe |
@@ -100,9 +100,9 @@ do
|
|
|
28bffe |
# * existing rule contains all arguments from expected rule form (though can contain
|
|
|
28bffe |
# them in arbitrary order)
|
|
|
28bffe |
|
|
|
28bffe |
- base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
|
|
|
28bffe |
- -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
|
|
|
28bffe |
- -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \
|
|
|
28bffe |
+ base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
|
|
|
28bffe |
+ -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
|
|
|
28bffe |
+ -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(?:4294967295\|unset\)/!d' \
|
|
|
28bffe |
-e '/-k privileged/!d' "$afile")
|
|
|
28bffe |
|
|
|
28bffe |
# Increase the count of inspected files for this sbinary
|
|
|
28bffe |
diff --git a/shared/templates/csv/audit_rules_execution.csv b/shared/templates/csv/audit_rules_execution.csv
|
|
|
28bffe |
index 8a78a4323c..45aa7493f3 100644
|
|
|
28bffe |
--- a/shared/templates/csv/audit_rules_execution.csv
|
|
|
28bffe |
+++ b/shared/templates/csv/audit_rules_execution.csv
|
|
|
28bffe |
@@ -3,3 +3,4 @@
|
|
|
28bffe |
/usr/sbin/semanage
|
|
|
28bffe |
/usr/sbin/setfiles
|
|
|
28bffe |
/usr/sbin/setsebool
|
|
|
28bffe |
+/usr/sbin/seunshare
|
|
|
28bffe |
diff --git a/shared/templates/csv/audit_rules_privileged_commands.csv b/shared/templates/csv/audit_rules_privileged_commands.csv
|
|
|
28bffe |
index 2d45332344..7fa26ffe2d 100644
|
|
|
28bffe |
--- a/shared/templates/csv/audit_rules_privileged_commands.csv
|
|
|
28bffe |
+++ b/shared/templates/csv/audit_rules_privileged_commands.csv
|
|
|
28bffe |
@@ -1,8 +1,12 @@
|
|
|
28bffe |
+/usr/bin/at
|
|
|
28bffe |
/usr/bin/chage
|
|
|
28bffe |
/usr/bin/chsh
|
|
|
28bffe |
/usr/bin/crontab
|
|
|
28bffe |
/usr/bin/gpasswd
|
|
|
28bffe |
+/usr/bin/mount
|
|
|
28bffe |
+/usr/bin/newgidmap
|
|
|
28bffe |
/usr/bin/newgrp
|
|
|
28bffe |
+/usr/bin/newuidmap
|
|
|
28bffe |
/usr/sbin/pam_timestamp_check
|
|
|
28bffe |
/usr/bin/passwd
|
|
|
28bffe |
/usr/sbin/postdrop
|
|
|
28bffe |
@@ -15,3 +19,4 @@
|
|
|
28bffe |
/usr/bin/umount
|
|
|
28bffe |
/usr/sbin/unix_chkpwd
|
|
|
28bffe |
/usr/sbin/userhelper
|
|
|
28bffe |
+/usr/sbin/usernetctl
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh
|
|
|
28bffe |
new file mode 100755
|
|
|
28bffe |
index 0000000000..9dc0cd1ce2
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh
|
|
|
28bffe |
@@ -0,0 +1,8 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+AUID=$1
|
|
|
28bffe |
+KEY=$2
|
|
|
28bffe |
+RULEPATH=$3
|
|
|
28bffe |
+for file in $(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do
|
|
|
28bffe |
+ echo "-a always,exit -F path=$file -F perm=x -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
|
|
|
28bffe |
+done
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 703bbafe10..0000000000
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,37 +0,0 @@
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/ksu -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/cgclassify -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/cgexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
index 60b9eb0c45..a8a25ebdb3 100644
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
@@ -2,7 +2,6 @@
|
|
|
28bffe |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
28bffe |
# remediation = bash
|
|
|
28bffe |
|
|
|
28bffe |
-cp rhel6_audit.rules /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
-cp rhel6_audit.rules /etc/audit/audit.rules
|
|
|
28bffe |
+./generate_privileged_commands_rule.sh 500 privileged /etc/audit/audit.rules
|
|
|
28bffe |
# This is a trick to fail setup of this test in rhel7 systems
|
|
|
28bffe |
ls /etc/sysconfig/auditd
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
index 1b628be506..5594d7566a 100644
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
@@ -2,6 +2,5 @@
|
|
|
28bffe |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
28bffe |
# remediation = bash
|
|
|
28bffe |
|
|
|
28bffe |
-cp rhel6_audit.rules /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
-cp rhel6_audit.rules /etc/audit/audit.rules
|
|
|
28bffe |
+./generate_privileged_commands_rule.sh 500 privileged /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
sed -i "s/USE_AUGENRULES=.*/USE_AUGENRULES=\"yes\"/" /etc/sysconfig/auditd
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
index ee95d13d5d..3f891eed60 100644
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh
|
|
|
28bffe |
@@ -2,6 +2,5 @@
|
|
|
28bffe |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
28bffe |
# remediation = bash
|
|
|
28bffe |
|
|
|
28bffe |
-cp rhel7_privileged.rules /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
-cp rhel7_privileged.rules /etc/audit/audit.rules
|
|
|
28bffe |
+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
|
|
|
28bffe |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
index 77f9549418..74583bf989 100644
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
28bffe |
@@ -2,7 +2,6 @@
|
|
|
28bffe |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
28bffe |
# remediation = bash
|
|
|
28bffe |
|
|
|
28bffe |
-cp rhel7_privileged.rules /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
-cp rhel7_privileged.rules /etc/audit/audit.rules
|
|
|
28bffe |
+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
# This is a trick to fail setup of this test in rhel6 systems
|
|
|
28bffe |
ls /usr/lib/systemd/system/auditd.service
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 4df6d4ec8b..0000000000
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,30 +0,0 @@
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 4eb644acbc..0000000000
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,30 +0,0 @@
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
--a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
28bffe |
index ac5ef2ddd9..35a5fde2c6 100644
|
|
|
28bffe |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
28bffe |
@@ -2,7 +2,6 @@
|
|
|
28bffe |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
28bffe |
# remediation = bash
|
|
|
28bffe |
|
|
|
28bffe |
-cp rhel7_own_key.rules /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
-cp rhel7_own_key.rules /etc/audit/audit.rules
|
|
|
28bffe |
+./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules
|
|
|
28bffe |
# This is a trick to fail setup of this test in rhel6 systems
|
|
|
28bffe |
ls /usr/lib/systemd/system/auditd.service
|