Blame SOURCES/scap-security-guide-0.1.41-audit_log_access.patch

28bffe
diff --git a/shared/checks/oval/directory_access_var_log_audit.xml b/shared/checks/oval/directory_access_var_log_audit.xml
28bffe
new file mode 100644
28bffe
index 0000000000..8edc5970d3
28bffe
--- /dev/null
28bffe
+++ b/shared/checks/oval/directory_access_var_log_audit.xml
28bffe
@@ -0,0 +1,57 @@
28bffe
+<def-group>
28bffe
+  <definition class="compliance" id="directory_access_var_log_audit" version="1">
28bffe
+    <metadata>
28bffe
+      <title>Ensure auditd Collects Information Read Access to /var/log/audit</title>
28bffe
+      <affected family="unix">
28bffe
+        <platform>Red Hat Enterprise Linux 7</platform>
28bffe
+        <platform>multi_platform_fedora</platform>
28bffe
+      </affected>
28bffe
+      <description>Audit rules about the read events to /var/log/audit</description>
28bffe
+    </metadata>
28bffe
+
28bffe
+    <criteria operator="OR">
28bffe
+
28bffe
+      
28bffe
+      <criteria operator="AND">
28bffe
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
28bffe
+        <criterion comment="audit rule to record read access events to /var/log/audit" test_ref="test_directory_acccess_var_log_audit_augenrules" />
28bffe
+      </criteria>
28bffe
+
28bffe
+      
28bffe
+      <criteria operator="AND">
28bffe
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
28bffe
+        <criterion comment="audit rule to record read access events to /var/log/audit" test_ref="test_directory_acccess_var_log_audit_auditctl" />
28bffe
+      </criteria>
28bffe
+
28bffe
+    </criteria>
28bffe
+  </definition>
28bffe
+
28bffe
+  
28bffe
+  <constant_variable id="var_audit_rule_access_var_log_audit_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+  </constant_variable>
28bffe
+
28bffe
+  
28bffe
+  
28bffe
+ comment="defined audit rule must exist" id="test_directory_acccess_var_log_audit_augenrules" version="1">
28bffe
+    <ind:object object_ref="object_directory_acccess_var_log_audit_augenrules" />
28bffe
+  </ind:textfilecontent54_test>
28bffe
+  <ind:textfilecontent54_object id="object_directory_acccess_var_log_audit_augenrules" version="1">
28bffe
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_audit_regex" />
28bffe
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
+  </ind:textfilecontent54_object>
28bffe
+
28bffe
+
28bffe
+  
28bffe
+  
28bffe
+ comment="defined audit rule must exist" id="test_directory_acccess_var_log_audit_auditctl" version="1">
28bffe
+    <ind:object object_ref="object_directory_acccess_var_log_audit_auditctl" />
28bffe
+  </ind:textfilecontent54_test>
28bffe
+  <ind:textfilecontent54_object id="object_directory_acccess_var_log_audit_auditctl" version="1">
28bffe
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_audit_regex" />
28bffe
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
+  </ind:textfilecontent54_object>
28bffe
+
28bffe
+</def-group>
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
28bffe
new file mode 100644
28bffe
index 0000000000..acf6fc6a0e
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
28bffe
@@ -0,0 +1,33 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+title: 'Record Access Events to Audit Log directory'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect access events to read audit log directory.
28bffe
+    The following audit rule will assure that access to audit log directory are
28bffe
+    collected.
28bffe
+    
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
28bffe
+    program to read audit rules during daemon startup (the default), add the
28bffe
+    rule to a file with suffix <tt>.rules</tt> in the directory
28bffe
+    <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the rule to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+
28bffe
+rationale: |-
28bffe
+    Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.'
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+severity: unknown
28bffe
+
28bffe
+ocil_clause: "no line is returned"
28bffe
+
28bffe
+ocil: |-
28bffe
+    To determine if the system is configured to audit accesses to
28bffe
+    /var/log/audit directory, run the following command:
28bffe
+    
$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
28bffe
+    If the system is configured to audit this activity, it will return a line.
28bffe
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
28bffe
index 42c1e98e39..0a71eb16f6 100644
28bffe
--- a/rhel7/profiles/ospp42-draft.profile
28bffe
+++ b/rhel7/profiles/ospp42-draft.profile
28bffe
@@ -139,6 +139,7 @@ selections:
28bffe
     - audit_rules_privileged_commands_sudo
28bffe
     - audit_rules_privileged_commands_su
28bffe
     - audit_rules_session_events
28bffe
+    - directory_access_var_log_audit
28bffe
     - ensure_redhat_gpgkey_installed
28bffe
     - ensure_gpgcheck_globally_activated
28bffe
     - ensure_gpgcheck_never_disabled
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..e9b1d56af3
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
28bffe
@@ -0,0 +1,9 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+# Use auditctl in RHEL7
28bffe
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
28bffe
+
28bffe
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..1c68a3229b
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
28bffe
@@ -0,0 +1,9 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+# Use auditctl in RHEL7
28bffe
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
28bffe
+
28bffe
+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..58ef8bc15f
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
28bffe
@@ -0,0 +1,6 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..29f0f2d38e
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
28bffe
@@ -0,0 +1,6 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..82eae1895d
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
28bffe
@@ -0,0 +1,6 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules