|
|
28bffe |
diff --git a/shared/checks/oval/directory_access_var_log_audit.xml b/shared/checks/oval/directory_access_var_log_audit.xml
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8edc5970d3
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/checks/oval/directory_access_var_log_audit.xml
|
|
|
28bffe |
@@ -0,0 +1,57 @@
|
|
|
28bffe |
+<def-group>
|
|
|
28bffe |
+ <definition class="compliance" id="directory_access_var_log_audit" version="1">
|
|
|
28bffe |
+ <metadata>
|
|
|
28bffe |
+ <title>Ensure auditd Collects Information Read Access to /var/log/audit</title>
|
|
|
28bffe |
+ <affected family="unix">
|
|
|
28bffe |
+ <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
+ <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
+ </affected>
|
|
|
28bffe |
+ <description>Audit rules about the read events to /var/log/audit</description>
|
|
|
28bffe |
+ </metadata>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
+ <criterion comment="audit rule to record read access events to /var/log/audit" test_ref="test_directory_acccess_var_log_audit_augenrules" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
+ <criterion comment="audit rule to record read access events to /var/log/audit" test_ref="test_directory_acccess_var_log_audit_auditctl" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </definition>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_access_var_log_audit_regex" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_directory_acccess_var_log_audit_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_directory_acccess_var_log_audit_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_directory_acccess_var_log_audit_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_audit_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_directory_acccess_var_log_audit_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_directory_acccess_var_log_audit_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_directory_acccess_var_log_audit_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_audit_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+</def-group>
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..acf6fc6a0e
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
|
|
|
28bffe |
@@ -0,0 +1,33 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Access Events to Audit Log directory'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect access events to read audit log directory.
|
|
|
28bffe |
+ The following audit rule will assure that access to audit log directory are
|
|
|
28bffe |
+ collected.
|
|
|
28bffe |
+ -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), add the
|
|
|
28bffe |
+ rule to a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the rule to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
|
|
|
28bffe |
+ Auditing these events could serve as evidence of potential system compromise.'
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: "no line is returned"
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ To determine if the system is configured to audit accesses to
|
|
|
28bffe |
+ /var/log/audit directory, run the following command:
|
|
|
28bffe |
+ $ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
|
|
|
28bffe |
+ If the system is configured to audit this activity, it will return a line.
|
|
|
28bffe |
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
index 42c1e98e39..0a71eb16f6 100644
|
|
|
28bffe |
--- a/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
+++ b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
@@ -139,6 +139,7 @@ selections:
|
|
|
28bffe |
- audit_rules_privileged_commands_sudo
|
|
|
28bffe |
- audit_rules_privileged_commands_su
|
|
|
28bffe |
- audit_rules_session_events
|
|
|
28bffe |
+ - directory_access_var_log_audit
|
|
|
28bffe |
- ensure_redhat_gpgkey_installed
|
|
|
28bffe |
- ensure_gpgcheck_globally_activated
|
|
|
28bffe |
- ensure_gpgcheck_never_disabled
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..e9b1d56af3
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
|
|
|
28bffe |
@@ -0,0 +1,9 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+# remediation = none
|
|
|
28bffe |
+
|
|
|
28bffe |
+# Use auditctl in RHEL7
|
|
|
28bffe |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..1c68a3229b
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,9 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+# remediation = none
|
|
|
28bffe |
+
|
|
|
28bffe |
+# Use auditctl in RHEL7
|
|
|
28bffe |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..58ef8bc15f
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
|
|
|
28bffe |
@@ -0,0 +1,6 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+# remediation = none
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..29f0f2d38e
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,6 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+# remediation = none
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..82eae1895d
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,6 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+# remediation = none
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
|