ComplianceAsCode · jan-cerny · Jan 17, 2023 · Jan 17, 2023 · Jan 17, 2023 · Jan 17, 2023
diff --git a/...ystem/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml b/...ystem/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "{{{ rule_title }}}: Determine if rules are loaded by auditctl"
+  ansible.builtin.find:
+    paths: '/usr/lib/systemd/system'
+    patterns: 'auditd.service'
+    contains: '^\s*ExecStartPost=-/sbin/auditctl'
+  register: auditctl_used
+
+- name: "{{{ rule_title }}}: Configure immutable login UIDs in /etc/audit/audit.rules"
+  ansible.builtin.lineinfile:
+    path: '/etc/audit/audit.rules'
+    line: '--loginuid-immutable'
+    regexp: '^\s*--loginuid-immutable\s*$'
+    create: true
+  when: auditctl_used is defined and auditctl_used.matched >= 1
+
+- name: "{{{ rule_title }}}: In case Augen-rules is used"
+  block:
+    - name: "{{{ rule_title }}}: Detect if immutable login UIDs are already defined in /etc/audit/rules.d/*.rules"
+      ansible.builtin.find:
+        paths: '/etc/audit/rules.d'
+        patterns: '*.rules'
+        contains: '^\s*--loginuid-immutable\s*$'
+      register: immutable_found_in_rules_d
+
+    - name: "{{{ rule_title }}}: set immutable login UIDS in /etc/audit/rules.d/immutable.rules"
+      ansible.builtin.lineinfile:
+        path: '/etc/audit/rules.d/immutable.rules'
+        line: '--loginuid-immutable'
+        regexp: '^\s*--loginuid-immutable\s*$'
+        create: true
+      when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched == 0
+  when: auditctl_used is defined and auditctl_used.matched == 0
diff --git a/...de/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/bash/shared.sh b/...de/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/bash/shared.sh
@@ -0,0 +1,19 @@
+# platform = multi_platform_all
+
+# in case auditctl is used
+if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then
+  if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then
+    echo "--loginuid-immutable" >> /etc/audit/audit.rules
+  fi
+else
+  immutable_found=0
+  for f in /etc/audit/rules.d/*.rules; do
+    if grep -q '^\s*--loginuid-immutable\s*$' $f; then
+  immutable_found=1
+    fi
+  done
+  if [ $immutable_found -eq 0 ]; then
+    echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules
+  fi
+fi
+
diff --git a/...e/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/oval/shared.xml b/...e/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/oval/shared.xml
@@ -0,0 +1,45 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if system is configured to make login UIDs immutable") }}}
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="check that --loginuid-immutable is set in /etc/audit/rules.d/*.rules" test_ref="test_augen_immutable_login_uids" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="test that --loginuid-immutable is set in /etc/audit/audit.rules" test_ref="test_auditctl_immutable_login_uids" />
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test presence of --loginuid-immutable in some file in /etc/audit/rules.d/*.rules"
+  id="test_augen_immutable_login_uids" version="1">
+  <ind:object object_ref="obj_augen_immutable_login_uids" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_augen_immutable_login_uids" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*--loginuid-immutable\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test presence of --loginuid-immutable in some file in /etc/audit/audit.rules"
+  id="test_auditctl_immutable_login_uids" version="1">
+  <ind:object object_ref="obj_auditctl_immutable_login_uids" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_auditctl_immutable_login_uids" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*--loginuid-immutable\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/...os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/...os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
@@ -0,0 +1,50 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure immutable Audit login UIDs'
+
+description: |-
+    Configure kernel to prevent modification of login UIDs once they are set.
+    Changing login UIDs while this configuration is enforced requires special capabilities which
+    are not available to unprivileged users.
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following line to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt> in order to make login UIDs
+    immutable:
+    <pre>--loginuid-immutable</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file in order to make login UIDs
+    immutable:
+    <pre>--loginuid-immutable</pre>
+
+rationale: |-
+    If modification of login UIDs is not prevented, they can be changed by unprivileged users and
+    make auditing complicated or impossible.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-90783-2
+
+references:
+    disa: CCI-000162,CCI-000163,CCI-000164
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
+    stigid@rhel8: RHEL-08-030122
+
+ocil_clause: 'the system is not configured to make login UIDs immutable'
+
+ocil: |-
+    To determine if the system is configured to make login UIDs immutable, run
+    one of the following commands.
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), run the following:
+    <pre>sudo grep immutable /etc/audit/rules.d/*.rules</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, run the following command:
+    <pre>sudo grep immutable /etc/audit/audit.rules</pre>
+    The following line should be returned:
+    <pre>--loginuid-immutable</pre>
diff --git a/...ng/auditd_configure_rules/audit_rules_immutable_login_uids/tests/auditctl_correct.pass.sh b/...ng/auditd_configure_rules/audit_rules_immutable_login_uids/tests/auditctl_correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "--loginuid-immutable" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/...configure_rules/audit_rules_immutable_login_uids/tests/auditctl_correct_commented.fail.sh b/...configure_rules/audit_rules_immutable_login_uids/tests/auditctl_correct_commented.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "# --loginuid-immutable" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/..._configure_rules/audit_rules_immutable_login_uids/tests/auditctl_remove_all_rules.fail.sh b/..._configure_rules/audit_rules_immutable_login_uids/tests/auditctl_remove_all_rules.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/...ting/auditd_configure_rules/audit_rules_immutable_login_uids/tests/auditctl_wrong.fail.sh b/...ting/auditd_configure_rules/audit_rules_immutable_login_uids/tests/auditctl_wrong.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "--blablabla" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/.../auditd_configure_rules/audit_rules_immutable_login_uids/tests/augenrules_correct.pass.sh b/.../auditd_configure_rules/audit_rules_immutable_login_uids/tests/augenrules_correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "--loginuid-immutable" >> /etc/audit/rules.d/login.rules
diff --git a/...nfigure_rules/audit_rules_immutable_login_uids/tests/augenrules_correct_commented.fail.sh b/...nfigure_rules/audit_rules_immutable_login_uids/tests/augenrules_correct_commented.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "# --loginuid-immutable" >> /etc/audit/rules.d/login.rules
diff --git a/...onfigure_rules/audit_rules_immutable_login_uids/tests/augenrules_remove_all_rules.fail.sh b/...onfigure_rules/audit_rules_immutable_login_uids/tests/augenrules_remove_all_rules.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/...ng/auditd_configure_rules/audit_rules_immutable_login_uids/tests/augenrules_wrong.fail.sh b/...ng/auditd_configure_rules/audit_rules_immutable_login_uids/tests/augenrules_wrong.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "--blabla" >> /etc/audit/rules.d/login.rules
@@ -721,7 +721,7 @@ selections:
     - audit_rules_immutable
 
     # RHEL-08-030122
-    - audit_immutable_login_uids
+    - audit_rules_immutable_login_uids
 
     # RHEL-08-030130
     - audit_rules_usergroup_modification_shadow

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -4131,4 +4131,3 @@ CCE-90778-2
 CCE-90780-8
 CCE-90781-6
 CCE-90782-4
-CCE-90783-2
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
@@ -78,7 +78,7 @@ selections:
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
-- audit_immutable_login_uids
+
 - audit_rules_dac_modification_chmod
 - audit_rules_dac_modification_chown
 - audit_rules_dac_modification_fchmod
@@ -104,6 +104,7 @@ selections:
 - audit_rules_file_deletion_events_unlink
 - audit_rules_file_deletion_events_unlinkat
 - audit_rules_immutable
+- audit_rules_immutable_login_uids
 - audit_rules_kernel_module_loading_delete
 - audit_rules_kernel_module_loading_finit
 - audit_rules_kernel_module_loading_init

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -89,7 +89,6 @@ selections:
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
-- audit_immutable_login_uids
 - audit_rules_dac_modification_chmod
 - audit_rules_dac_modification_chown
 - audit_rules_dac_modification_fchmod
@@ -115,6 +114,7 @@ selections:
 - audit_rules_file_deletion_events_unlink
 - audit_rules_file_deletion_events_unlinkat
 - audit_rules_immutable
+- audit_rules_immutable_login_uids
 - audit_rules_kernel_module_loading_delete
 - audit_rules_kernel_module_loading_finit
 - audit_rules_kernel_module_loading_init