-
Notifications
You must be signed in to change notification settings - Fork 698
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SRG-APP-000029-CTR-000085: Audit execution of all setuid and setgid b…
…inaries on RHCOS4
- Loading branch information
Showing
52 changed files
with
1,074 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
...commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/policy/stig/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| srg_requirement: |- | ||
| {{{ full_name }}} must audit all uses of the /usr/libexec/dbus-1/dbus-daemon-launch-helper command. | ||
| vuldiscussion: |- | ||
| Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | ||
| Audit records can be generated from various components within the information system (e.g., module or policy filter). | ||
| When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. | ||
| The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. | ||
| checktext: |- | ||
| Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/dbus-1/dbus-daemon-launch-helper" command with the following command: | ||
| $ sudo auditctl -l | grep /usr/libexec/dbus-1/dbus-daemon-launch-helper | ||
| -a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged | ||
| If the command does not return a line, or the line is commented out, this is a finding. | ||
| fixtext: |- | ||
| Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "polkit-agent-helper" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": | ||
| -a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged | ||
| The audit daemon must be restarted for the changes to take effect. |
48 changes: 48 additions & 0 deletions
48
...it_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} | ||
| {{%- set perm_x="-F perm=x " %}} | ||
| {{%- endif %}} | ||
|
|
||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Ensure auditd Collects Information on the Use of Privileged Commands - dbus helper' | ||
|
|
||
| description: |- | ||
| At a minimum, the audit system should collect the execution of | ||
| privileged commands for all users and root. If the <tt>auditd</tt> daemon is | ||
| configured to use the <tt>augenrules</tt> program to read audit rules during | ||
| daemon startup (the default), add a line of the following form to a file with | ||
| suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>: | ||
| <pre>-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> | ||
| utility to read audit rules during daemon startup, add a line of the following | ||
| form to <tt>/etc/audit/audit.rules</tt>: | ||
| <pre>-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| rationale: |- | ||
| Misuse of privileged functions, either intentionally or unintentionally by | ||
| authorized users, or by unauthorized external entities that have compromised system accounts, | ||
| is a serious and ongoing concern and can have significant adverse impacts on organizations. | ||
| Auditing the use of privileged functions is one way to detect such misuse and identify | ||
| the risk from insider and advanced persistent threats. | ||
| <br /><br /> | ||
| Privileged programs are subject to escalation-of-privilege attacks, | ||
| which attempt to subvert their normal role of providing some necessary but | ||
| limited capability. As such, motivation exists to monitor these programs for | ||
| unusual activity. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-87183-0 | ||
|
|
||
| references: | ||
| srg: SRG-APP-000029-CTR-000085 | ||
|
|
||
| {{{ ocil_fix_srg_privileged_command("/usr/libexec/dbus-1/dbus-daemon-launch-helper-1") }}} | ||
|
|
||
| template: | ||
| name: audit_rules_privileged_commands | ||
| vars: | ||
| path: /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 |
3 changes: 3 additions & 0 deletions
3
...ged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| --- | ||
| default_result: FAIL | ||
| result_after_remediation: PASS |
27 changes: 27 additions & 0 deletions
27
...dit_privileged_commands/audit_rules_privileged_commands_fusermount/policy/stig/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| srg_requirement: |- | ||
| {{{ full_name }}} must audit all uses of the fusermount command. | ||
| vuldiscussion: |- | ||
| Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | ||
| Audit records can be generated from various components within the information system (e.g., module or policy filter). | ||
| When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. | ||
| The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. | ||
| checktext: |- | ||
| Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount" command with the following command: | ||
| $ sudo auditctl -l | grep fusermount | ||
| -a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount | ||
| If the command does not return a line, or the line is commented out, this is a finding. | ||
| fixtext: |- | ||
| Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": | ||
| -a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount | ||
| The audit daemon must be restarted for the changes to take effect. |
48 changes: 48 additions & 0 deletions
48
...igure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} | ||
| {{%- set perm_x="-F perm=x " %}} | ||
| {{%- endif %}} | ||
|
|
||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount' | ||
|
|
||
| description: |- | ||
| At a minimum, the audit system should collect the execution of | ||
| privileged commands for all users and root. If the <tt>auditd</tt> daemon is | ||
| configured to use the <tt>augenrules</tt> program to read audit rules during | ||
| daemon startup (the default), add a line of the following form to a file with | ||
| suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>: | ||
| <pre>-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> | ||
| utility to read audit rules during daemon startup, add a line of the following | ||
| form to <tt>/etc/audit/audit.rules</tt>: | ||
| <pre>-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| rationale: |- | ||
| Misuse of privileged functions, either intentionally or unintentionally by | ||
| authorized users, or by unauthorized external entities that have compromised system accounts, | ||
| is a serious and ongoing concern and can have significant adverse impacts on organizations. | ||
| Auditing the use of privileged functions is one way to detect such misuse and identify | ||
| the risk from insider and advanced persistent threats. | ||
| <br /><br /> | ||
| Privileged programs are subject to escalation-of-privilege attacks, | ||
| which attempt to subvert their normal role of providing some necessary but | ||
| limited capability. As such, motivation exists to monitor these programs for | ||
| unusual activity. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-86210-2 | ||
|
|
||
| references: | ||
| srg: SRG-APP-000029-CTR-000085 | ||
|
|
||
| {{{ ocil_fix_srg_privileged_command("fusermount") }}} | ||
|
|
||
| template: | ||
| name: audit_rules_privileged_commands | ||
| vars: | ||
| path: /usr/bin/fusermount |
3 changes: 3 additions & 0 deletions
3
...s/audit_privileged_commands/audit_rules_privileged_commands_fusermount/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| --- | ||
| default_result: FAIL | ||
| result_after_remediation: PASS |
27 changes: 27 additions & 0 deletions
27
...it_privileged_commands/audit_rules_privileged_commands_fusermount3/policy/stig/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| srg_requirement: |- | ||
| {{{ full_name }}} must audit all uses of the fusermount3 command. | ||
| vuldiscussion: |- | ||
| Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | ||
| Audit records can be generated from various components within the information system (e.g., module or policy filter). | ||
| When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. | ||
| The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. | ||
| checktext: |- | ||
| Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount3" command with the following command: | ||
| $ sudo auditctl -l | grep fusermount3 | ||
| -a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount3 | ||
| If the command does not return a line, or the line is commented out, this is a finding. | ||
| fixtext: |- | ||
| Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount3" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": | ||
| -a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount3 | ||
| The audit daemon must be restarted for the changes to take effect. |
48 changes: 48 additions & 0 deletions
48
...gure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} | ||
| {{%- set perm_x="-F perm=x " %}} | ||
| {{%- endif %}} | ||
|
|
||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount3' | ||
|
|
||
| description: |- | ||
| At a minimum, the audit system should collect the execution of | ||
| privileged commands for all users and root. If the <tt>auditd</tt> daemon is | ||
| configured to use the <tt>augenrules</tt> program to read audit rules during | ||
| daemon startup (the default), add a line of the following form to a file with | ||
| suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>: | ||
| <pre>-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> | ||
| utility to read audit rules during daemon startup, add a line of the following | ||
| form to <tt>/etc/audit/audit.rules</tt>: | ||
| <pre>-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged</pre> | ||
| rationale: |- | ||
| Misuse of privileged functions, either intentionally or unintentionally by | ||
| authorized users, or by unauthorized external entities that have compromised system accounts, | ||
| is a serious and ongoing concern and can have significant adverse impacts on organizations. | ||
| Auditing the use of privileged functions is one way to detect such misuse and identify | ||
| the risk from insider and advanced persistent threats. | ||
| <br /><br /> | ||
| Privileged programs are subject to escalation-of-privilege attacks, | ||
| which attempt to subvert their normal role of providing some necessary but | ||
| limited capability. As such, motivation exists to monitor these programs for | ||
| unusual activity. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-86676-4 | ||
|
|
||
| references: | ||
| srg: SRG-APP-000029-CTR-000085 | ||
|
|
||
| {{{ ocil_fix_srg_privileged_command("fusermount3") }}} | ||
|
|
||
| template: | ||
| name: audit_rules_privileged_commands | ||
| vars: | ||
| path: /usr/bin/fusermount3 |
3 changes: 3 additions & 0 deletions
3
.../audit_privileged_commands/audit_rules_privileged_commands_fusermount3/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| --- | ||
| default_result: FAIL | ||
| result_after_remediation: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.