diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml index 5784e5ad8f..a80c7dab8c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml index 81841900f0..6181ad50f1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml index 3515398d50..9a69643a34 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify+
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml index deb20d24c5..630b03b1b4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml index d65c9171e4..f1b9fbcd17 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml index da910036b2..5460009264 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml @@ -10,11 +10,11 @@ description: |- to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifyrationale: |- Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. @@ -36,4 +36,4 @@ warnings: number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify+
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modifydiff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py index 9ab984491e..4164f7b44f 100644 --- a/shared/templates/create_audit_rules_path_syscall.py +++ b/shared/templates/create_audit_rules_path_syscall.py @@ -26,6 +26,29 @@ def generate(self, target, args): }, "./oval/audit_rules_{0}_{1}.xml", pathid, syscall ) + + elif target == "bash": + self.file_from_template( + "./template_BASH_audit_rules_path_syscall", + { + "PATH": path, + "SYSCALL": syscall, + "POS": pos + }, + "./bash/audit_rules_{0}_{1}.sh", pathid, syscall + ) + + elif target == "ansible": + self.file_from_template( + "./template_ANSIBLE_audit_rules_path_syscall", + { + "PATH": path, + "SYSCALL": syscall, + "POS": pos + }, + "./ansible/audit_rules_{0}_{1}.yml", pathid, syscall + ) + else: raise UnknownTargetError(target) diff --git a/shared/templates/template_ANSIBLE_audit_rules_path_syscall b/shared/templates/template_ANSIBLE_audit_rules_path_syscall new file mode 100644 index 0000000000..4a27e0f521 --- /dev/null +++ b/shared/templates/template_ANSIBLE_audit_rules_path_syscall @@ -0,0 +1,76 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +# +# What architecture are we on? +# +- name: Set architecture for audit {{{ SYSCALL }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +# +# Inserts/replaces the rule in /etc/audit/rules.d +# +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*" + patterns: "*.rules" + register: find_{{{ SYSCALL }}} + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: find_{{{ SYSCALL }}}.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}" + when: find_{{{ SYSCALL }}}.matched > 0 + +- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86 + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ item }}" + create: yes + regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" + with_items: + - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + +- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64 + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ item }}" + create: yes + regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" + with_items: + - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + when: audit_arch == 'b64' +# +# Inserts/replaces the rule in /etc/audit/audit.rules +# +- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: "{{ item }}" + state: present + dest: /etc/audit/audit.rules + regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" + with_items: + - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + +- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64 + lineinfile: + line: "{{ item }}" + state: present + dest: /etc/audit/audit.rules + create: yes + regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" + with_items: + - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + when: audit_arch == 'b64' diff --git a/shared/templates/template_BASH_audit_rules_path_syscall b/shared/templates/template_BASH_audit_rules_path_syscall new file mode 100644 index 0000000000..c3d31aade9 --- /dev/null +++ b/shared/templates/template_BASH_audit_rules_path_syscall @@ -0,0 +1,18 @@ +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh index a9a4207877..8db9eab037 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh index 0eabbe097c..532ecedb88 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh index 6e17de9c20..72254d5c5c 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh index 7b7b6bc76d..d4e169dcc6 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh index 472b62ee57..409e96ad73 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh index 595a97ab22..9aca34dd42 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh index 6ef86ff816..b8c14e63f8 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none # Use auditctl in RHEL7 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh index 8c4aaaac25..a6c4c8814f 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh index 28ee5ffd9d..7b7f1fd5c9 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh index 9c9ac0fad4..0747c40b70 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # profiles = xccdf_org.ssgproject.content_profile_ospp -# remediation = none echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules