Merge pull request #8557 from yuumasato/audit_kernel_modules_remediat…

…ion_alignment Align kernel_module_loading remediations
ComplianceAsCode · Apr 21, 2022 · 9f8d633 · 9f8d633
2 parents e732c1e + 8f2066b
commit 9f8d633
Show file tree

Hide file tree

Showing 10 changed files with 43 additions and 15 deletions.
diff --git a/...re_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/...re_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -3,7 +3,13 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-#
+
+{{% if product in ["ol8", "rhel8"] %}}
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+{{% else %}}
+{{% set auid_filters = "" %}}
+{{% endif %}}
+
 # What architecture are we on?
 #
 - name: Set architecture for audit tasks
@@ -18,15 +24,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=audit_syscalls,
       key="modules",
       syscall_grouping=audit_syscalls,
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=audit_syscalls,
       key="modules",
       syscall_grouping=audit_syscalls,
@@ -37,15 +43,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=audit_syscalls,
       key="modules",
       syscall_grouping=audit_syscalls,
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=audit_syscalls,
       key="modules",
       syscall_grouping=audit_syscalls,

diff --git a/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh b/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh
@@ -12,7 +12,11 @@ for ARCH in "${RULE_ARCHS[@]}"
 do
         ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
         OTHER_FILTERS=""
+        {{% if product in ["ol8", "rhel8"] %}}
+        AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+        {{% else %}}
         AUID_FILTERS=""
+        {{% endif %}}
         SYSCALL="init_module finit_module delete_module"
         KEY="modules"
         SYSCALL_GROUPING="init_module finit_module delete_module"

diff --git a/...oading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh b/...oading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh
@@ -7,5 +7,8 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '1,10d' test_audit.rules > /etc/audit/audit.rules
-sed -i '5,8d' /etc/audit/audit.rules
+sed '1,8d' test_audit.rules > /etc/audit/audit.rules
+sed -i '4,7d' /etc/audit/audit.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules
+{{% endif %}}
diff --git a/...ule_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh b/...ule_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh
@@ -7,4 +7,7 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '1,13d' test_audit.rules > /etc/audit/audit.rules
+sed '1,12d' test_audit.rules > /etc/audit/audit.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules
+{{% endif %}}
diff --git a/...le_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh b/...le_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh
@@ -7,4 +7,7 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '11,18d' test_audit.rules > /etc/audit/audit.rules
+sed '8,15d' test_audit.rules > /etc/audit/audit.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules
+{{% endif %}}
diff --git a/...udit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh b/...udit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh
@@ -7,4 +7,4 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/audit.rules
+sed -e '7,15d' -e '/.*init.*/d' test_audit.rules > /etc/audit/audit.rules
diff --git a/...e_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/...e_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh
@@ -4,5 +4,8 @@
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '1,10d' test_audit.rules > /etc/audit/rules.d/test.rules
-sed -i '5,8d' /etc/audit/rules.d/test.rules
+sed '1,8d' test_audit.rules > /etc/audit/rules.d/test.rules
+sed -i '4,7d' /etc/audit/rules.d/test.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules
+{{% endif %}}
diff --git a/...module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/...module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh
@@ -4,4 +4,7 @@
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '1,13d' test_audit.rules > /etc/audit/rules.d/test.rules
+sed '1,12d' test_audit.rules > /etc/audit/rules.d/test.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules
+{{% endif %}}
diff --git a/...odule_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/...odule_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh
@@ -3,4 +3,7 @@
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed '11,18d' test_audit.rules > /etc/audit/rules.d/test.rules
+sed '8,15d' test_audit.rules > /etc/audit/rules.d/test.rules
+{{% if product in ["ol8", "rhel8"] %}}
+sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules
+{{% endif %}}
diff --git a/...g/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh b/...g/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh
@@ -3,4 +3,4 @@
 rm -f /etc/audit/rules.d/*
 
 # cut out irrelevant rules for this test
-sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules
+sed -e '7,15d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules