Fix Audit related rules in RHEL 10

[vojtapolasek]

Description:

• modify OVAL checks which decide if we use augenrules or auditctl to load rules. Point them to the new file audit-rules.service in case we are on rhel10 product
• modify test scenarios of all templates where this scenario occurs
• modify test scenarios of all rules which are in rhel10 product

Rationale:

In RHEL 10, there is a special Systemd service file which loads rules.
Previously, this was done through ExecStartPost directive in auditd.service.
In RHEL 10, there is a new file audit-rules.service which achieves the same but through ExecStart directive.

Review Hints:

1. review CI results
2. CI might not be able to test all rules so in case of failures, please retest locally through Automatus.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12359
This image was built from commit: daeb8e7

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12359

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12359 make deploy-local

[ggbecker]

There might be more places where a change is needed, for example:

content/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml

Line 20 in 7523107

grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service

and a few occurrences in this file:

content/linux_os/guide/auditing/group.yml

Line 22 in 7523107

appropriate <tt>ExecStartPost</tt> directive setting in the

[vojtapolasek]

Hello @ggbecker and thank you for noticing this. I made some fixes. However, I am not able to fix the rule audit_rules_suid_auid_privilege_function. I am afraid this will take nontrivial effort. Basically, reloading of auditd service shows us that rules can't be reloaded after remediation. I am stil not entirely sure why, but I would like to tackle this remaining rule and possibly also audit_rules_suid_privilege_function in a separate PR.

[codeclimate]

Code Climate has analyzed commit daeb8e7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

[ggbecker]

audit_rules_suid_auid_privilege_function

audit_rules_suid_auid_privilege_function doesn't seem to be included in RHEL10 content, so there shouldn't be any major issue with it. Overall it looks good to me. Thanks

[vojtapolasek]

@ggbecker actually I see the rule audit_rules_suid_auid_privilege_function in RHEL 10 CIS level 2 profile for both server and workstation.

[ggbecker]

@ggbecker actually I see the rule audit_rules_suid_auid_privilege_function in RHEL 10 CIS level 2 profile for both server and workstation.

That's true. So please continue with the plan on following up on another pull request.