|
 |
dac76a |
From f65d1b37c7433085f19dc10454067be7d0bfb180 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 12 Mar 2020 16:27:53 +0100
|
|
|
dac76a |
Subject: [PATCH 1/3] Fix remediatino for /etc/sudoers.d/ and OVAL check
|
|
|
dac76a |
|
|
|
dac76a |
Add missing '/' to remediation and add OVAL checks for /etc/sudoers.d/.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../bash/shared.sh | 4 ++--
|
|
|
dac76a |
.../oval/shared.xml | 20 +++++++++++++++++++
|
|
|
dac76a |
2 files changed, 22 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
|
|
|
dac76a |
index 8e38874006..b6a4e7ef41 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
|
|
|
dac76a |
@@ -7,5 +7,5 @@
|
|
|
dac76a |
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
|
|
|
dac76a |
fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
|
|
|
dac76a |
|
|
|
dac76a |
-fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions"
|
|
|
dac76a |
-fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions"
|
|
|
dac76a |
+fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions"
|
|
|
dac76a |
+fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
|
|
|
dac76a |
index 172d2216b2..136630e695 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
|
|
|
dac76a |
@@ -9,10 +9,12 @@
|
|
|
dac76a |
<criteria operator="AND">
|
|
|
dac76a |
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
dac76a |
<criterion comment="audit augenrules sudoers" test_ref="test_audit_rules_sysadmin_actions_sudoers_augenrules" />
|
|
|
dac76a |
+ <criterion comment="audit augenrules sudoers_d" test_ref="test_audit_rules_sysadmin_actions_sudoers_d_augenrules" />
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
<criteria operator="AND">
|
|
|
dac76a |
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
dac76a |
<criterion comment="audit auditctl sudoers" test_ref="test_audit_rules_sysadmin_actions_sudoers_auditctl" />
|
|
|
dac76a |
+ <criterion comment="audit auditctl sudoers_d" test_ref="test_audit_rules_sysadmin_actions_sudoers_d_auditctl" />
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</definition>
|
|
|
dac76a |
@@ -26,6 +28,15 @@
|
|
|
dac76a |
<ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
+ <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_d_augenrules" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+ <ind:textfilecontent54_object id="object_audit_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
|
|
|
dac76a |
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
<ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sysadmin_actions_sudoers_auditctl" version="1">
|
|
|
dac76a |
<ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_auditctl" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
@@ -35,4 +46,13 @@
|
|
|
dac76a |
<ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
+ <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_audit_rules_sysadmin_actions_sudoers_d_auditctl" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+ <ind:textfilecontent54_object id="object_audit_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
|
|
|
dac76a |
From 2aa6680981aa0f730c671106ca019c357b3beba7 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Fri, 13 Mar 2020 18:33:38 +0100
|
|
|
dac76a |
Subject: [PATCH 2/3] Add Ansible for audit_rules_sysadmin_actions
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 53 +++++++++++++++++++
|
|
|
dac76a |
1 file changed, 53 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..6700eea565
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,53 @@
|
|
|
dac76a |
+# platform = multi_platform_all
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = low
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Inserts/replaces the rule in /etc/audit/rules.d
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
|
|
|
dac76a |
+ find:
|
|
|
dac76a |
+ paths: "/etc/audit/rules.d"
|
|
|
dac76a |
+ recurse: no
|
|
|
dac76a |
+ contains: "^.*/etc/sudoers.*$"
|
|
|
dac76a |
+ patterns: "*.rules"
|
|
|
dac76a |
+ register: find_audit_sysadmin_actions
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
|
|
|
dac76a |
+ set_fact:
|
|
|
dac76a |
+ all_sysadmin_actions_files:
|
|
|
dac76a |
+ - /etc/audit/rules.d/actions.rules
|
|
|
dac76a |
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Use matched file as the recipient for the rule
|
|
|
dac76a |
+ set_fact:
|
|
|
dac76a |
+ all_sysadmin_actions_files:
|
|
|
dac76a |
+ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
|
|
|
dac76a |
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ path: "{{ all_sysadmin_actions_files[0] }}"
|
|
|
dac76a |
+ line: '-w /etc/sudoers -p wa -k actions'
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ path: "{{ all_sysadmin_actions_files[0] }}"
|
|
|
dac76a |
+ line: '-w /etc/sudoers.d/ -p wa -k actions'
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ path: /etc/audit/audit.rules
|
|
|
dac76a |
+ line: '-w /etc/sudoers -p wa -k actions'
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ path: /etc/audit/audit.rules
|
|
|
dac76a |
+ line: '-w /etc/sudoers.d/ -p wa -k actions'
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
|
|
|
dac76a |
From 3d5cc1d32fa7c4e2c3de11d178c33459804d1a58 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Fri, 13 Mar 2020 18:42:05 +0100
|
|
|
dac76a |
Subject: [PATCH 3/3] Simple tests for audit_rules_sysadmin_actions
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../audit_rules_sysadmin_actions/tests/correct.pass.sh | 4 ++++
|
|
|
dac76a |
.../audit_rules_sysadmin_actions/tests/empty.fail.sh | 4 ++++
|
|
|
dac76a |
.../audit_rules_sysadmin_actions/tests/missing_slash.fail.sh | 4 ++++
|
|
|
dac76a |
3 files changed, 12 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..4d5f09b7b8
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
|
|
|
dac76a |
+echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..c14af6a088
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
dac76a |
+
|
|
|
dac76a |
+rm -f /etc/audit/rules.d/*
|
|
|
dac76a |
+> /etc/audit/audit.rules
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..09af980183
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
|
|
|
dac76a |
+echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules
|