From df2d0801ece5f5a159c3d234ba92fb01aaee1c0b Mon Sep 17 00:00:00 2001 From: rchikov Date: Fri, 17 Feb 2023 11:18:44 +0100 Subject: [PATCH] New SLE 12/15 rule audit_rules_mac_modification_usr_share --- controls/cis_sle12.yml | 3 +- controls/cis_sle15.yml | 3 +- .../ansible/shared.yml | 9 ++++ .../bash/shared.sh | 5 ++ .../oval/shared.xml | 40 +++++++++++++++ .../rule.yml | 49 +++++++++++++++++++ .../tests/auditctl_correct.pass.sh | 7 +++ .../auditctl_correct_without_key.pass.sh | 7 +++ .../tests/auditctl_missing.fail.sh | 7 +++ .../tests/auditctl_wrong_value.fail.sh | 8 +++ .../tests/augen_correct.pass.sh | 4 ++ .../tests/augen_correct_without_key.pass.sh | 4 ++ .../tests/augen_missing.fail.sh | 4 ++ .../tests/augen_wrong_value.fail.sh | 5 ++ shared/references/cce-sle12-avail.txt | 1 - shared/references/cce-sle15-avail.txt | 1 - 16 files changed, 153 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct_without_key.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_missing.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_wrong_value.fail.sh diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 39d8778c800..1ffd2d83aeb 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -1166,9 +1166,10 @@ controls: levels: - l2_server - l2_workstation - automated: partially # rule for checking audit watch on /usr/share/selinux is missing + status: automated rules: - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - id: 4.1.7 title: Ensure login and logout events are collected (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 72e3e5fb8f5..6dcf9063c4f 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -1338,9 +1338,10 @@ controls: levels: - l2_server - l2_workstation - automated: partially # rule for checking audit watch on /usr/share/selinux is missing + status: automated rules: - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - id: 4.1.7 title: Ensure login and logout events are collected (Automated) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml new file mode 100644 index 00000000000..eb4749d44fe --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml @@ -0,0 +1,9 @@ +# platform = multi_platform_sle +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_audit_augenrules_add_watch_rule(path="/usr/share/selinux/", permissions="wa", key="MAC-policy") }}} + +{{{ ansible_audit_auditctl_add_watch_rule(path="/usr/share/selinux/", permissions="wa", key="MAC-policy") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh new file mode 100644 index 00000000000..334503fb1b6 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh @@ -0,0 +1,5 @@ +# platform = multi_platform_sle + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +{{{ bash_fix_audit_watch_rule("auditctl", "/usr/share/selinux/", "wa", "MAC-policy") }}} +{{{ bash_fix_audit_watch_rule("augenrules", "/usr/share/selinux/", "wa", "MAC-policy") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/oval/shared.xml new file mode 100644 index 00000000000..783016b6415 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/oval/shared.xml @@ -0,0 +1,40 @@ + + + {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (SELinux) in usr/share/selinux are enabled.") }}} + + + + + + + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ + 1 + + + + + + + /etc/audit/audit.rules + ^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml new file mode 100644 index 00000000000..56e08deb997 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml @@ -0,0 +1,49 @@ +documentation_complete: true + +title: 'Record Events that Modify the System''s Mandatory Access Controls in usr/share' + +description: |- + If the auditd daemon is configured to use the + augenrules program to read audit rules during daemon startup (the + default), add the following line to a file with suffix .rules in the + directory /etc/audit/rules.d: + 
-w /usr/share/selinux/ -p wa -k MAC-policy
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: + 
-w /usr/share/selinux/ -p wa -k MAC-policy
+ +rationale: |- + The system's mandatory access policy (SELinux) should not be + arbitrarily changed by anything other than administrator action. All changes to + MAC policy should be audited. + +severity: medium + +identifiers: + cce@sle12: CCE-92400-1 + cce@sle15: CCE-92515-6 + +references: + cis@sle12: 4.1.6 + cis@sle15: 4.1.6 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.8 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 + nist: AU-2(d),AU-12(c),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + +ocil_clause: 'the system is not configured to audit attempts to change the MAC policy' + +ocil: |- + To determine if the system is configured to audit changes to its SELinux + configuration files, run the following command: + 
$ sudo auditctl -l | grep "dir=/usr/share/selinux"
+ If the system is configured to watch for changes to its SELinux + configuration, a line should be returned (including + perm=wa indicating permissions that are watched). diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh new file mode 100644 index 00000000000..76f60a81c8d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = audit + +# use auditctl +sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +echo "-w /usr/share/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh new file mode 100644 index 00000000000..98255fea706 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = audit + +# use auditctl +sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +echo "-w /usr/share/selinux/ -p wa" > /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh new file mode 100644 index 00000000000..2ae06653834 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = audit + +# use auditctl +sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +echo "some value" > /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh new file mode 100644 index 00000000000..3a6308aab0b --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# packages = audit + +# use auditctl +sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct.pass.sh new file mode 100644 index 00000000000..73d698a3caa --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# packages = audit + +echo "-w /usr/share/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct_without_key.pass.sh new file mode 100644 index 00000000000..3fa086ac249 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct_without_key.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# packages = audit + +echo "-w /usr/share/selinux/ -p wa" > /etc/audit/rules.d/MAC-policy.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_missing.fail.sh new file mode 100644 index 00000000000..9aec7008201 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_missing.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# packages = audit + +rm -rf /etc/audit/rules.d/* diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_wrong_value.fail.sh new file mode 100644 index 00000000000..764d8344cc0 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# packages = audit + +rm -rf /etc/audit/rules.d/* +echo "-w /etc/group -p w -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt index e3098680491..7c634f26927 100644 --- a/shared/references/cce-sle12-avail.txt +++ b/shared/references/cce-sle12-avail.txt @@ -67,7 +67,6 @@ CCE-92396-1 CCE-92397-9 CCE-92398-7 CCE-92399-5 -CCE-92400-1 CCE-92401-9 CCE-92402-7 CCE-92403-5 diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt index d2f741927b5..ddf6af14bcd 100644 --- a/shared/references/cce-sle15-avail.txt +++ b/shared/references/cce-sle15-avail.txt @@ -28,7 +28,6 @@ CCE-92511-5 CCE-92512-3 CCE-92513-1 CCE-92514-9 -CCE-92515-6 CCE-92516-4 CCE-92517-2 CCE-92519-8