Update rules related to /var/log/audit

linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_all
 # reboot = false
 # strategy = restrict
 # complexity = low
@@ -11,35 +11,23 @@
   changed_when: false
   register: log_file_exists
 
-- name: "{{{ rule_title }}} - Set audit log file fact"
+- name: "{{{ rule_title }}} - Set audit log directory path"
   ansible.builtin.set_fact:
-      log_file_line: "{{ log_file_exists.stdout | split(' ') | last }}"
+      log_file_dir: "{{ (log_file_exists.stdout | default('') | split(' ') | last | dirname) | default('/var/log/audit', true) }}"
 
-- name: "{{{ rule_title }}} - Set default log_file if not configured in /etc/audit/auditd.conf"
-  ansible.builtin.set_fact:
-      log_file_dir: "/var/log/audit"
-  when: (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)
-
-- name: "{{{ rule_title }}} - Set log_file_dir from log_file_line if configured"
-  ansible.builtin.set_fact:
-      log_file_dir: "{{ log_file_line | dirname}}"
-  when: (log_file_line is defined) and (log_file_line | length > 0)
-
-- name: "{{{ rule_title }}} - Get audit log group"
+- name: "{{{ rule_title }}} - Get audit log group from /etc/audit/auditd.conf"
   ansible.builtin.command: grep -iw ^log_group /etc/audit/auditd.conf
   check_mode: False
   failed_when: false
   changed_when: false
   register: log_group_exists
 
-- name: "{{{ rule_title }}} - Set audit log directory mode to 0700"
-  ansible.builtin.file:
-      path: "{{ log_file_dir }}"
-      mode: 0700
-  when: log_group_exists.stdout | length == 0
+- name: "{{{ rule_title }}} - Set audit log group"
+  ansible.builtin.set_fact:
+      log_group: "{{ (log_group_exists.stdout | default('') | split(' ') | last) | default('root', true) }}"
 
-- name: "{{{ rule_title }}} - Set audit log directory mode to 0750"
+- name: "{{{ rule_title }}} - Set audit log directory permissions"
   ansible.builtin.file:
       path: "{{ log_file_dir }}"
-      mode: 0750
-  when: log_group_exists.stdout | length > 0
+      state: directory
+      mode: "{{ '0700' if log_group == 'root' else '0750' }}"

linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/bash/shared.sh

@@ -1,22 +1,18 @@
-# platform = Red Hat Virtualization 4,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 
 if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
   DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
 else
   DIR="/var/log/audit"
 fi
 
-{{% if product not in ["ol8", "rhel8"] %}}
 if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
   GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
-  if ! [ "${GROUP}" == 'root' ] ; then
-    chmod 0750 $DIR
+  if ! [ "$GROUP" == 'root' ] ; then
+    chmod 0750 "$DIR"
   else
-    chmod 0700 $DIR
+    chmod 0700 "$DIR"
   fi
 else
-  chmod 0700 $DIR
+  chmod 0700 "$DIR"
 fi
-{{% else %}}
-chmod 0700 $DIR
-{{% endif %}}

linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml

@@ -2,113 +2,123 @@
   <definition class="compliance" id="directory_permissions_var_log_audit" version="1">
     {{{ oval_metadata("Checks for correct permissions for audit logs.", rule_title=rule_title) }}}
     <criteria operator="OR">
-      {{% if 'ol' not in families and 'rhel' not in product and 'fedora' not in product %}}
       <criteria operator="AND" comment="log_file set">
-        <extend_definition comment="log_file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" />
-        <criteria operator="AND" comment="log_group in auditd.conf is not root">
-          <extend_definition comment="log_group in auditd.conf is not root"
-          definition_ref="auditd_conf_log_group_not_root" />
-          <criterion test_ref="test_dir_permissions_audit_log-non_root" negate="true" />
+        <extend_definition comment="log file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" />
+
+        <criteria operator="OR">
+          <criteria operator="AND" comment="log_file set and log_group set to not root">
+            <extend_definition comment="log_group in auditd.conf is not set to root" definition_ref="auditd_conf_log_group_not_root" />
+            <criterion comment="non-default log_file and log_group set to non-root" test_ref="test_permissions_audit_log_directory_not_root"/>
+          </criteria>
+          <criteria operator="AND" comment="log_file set and log_group root or not set">
+            <extend_definition comment="log_group in auditd.conf is set to root or not set" definition_ref="auditd_conf_log_group_not_root" negate="true"/>
+            <criterion comment="non-default log_file and log_group root or not set" test_ref="test_permissions_audit_log_directory_root"/>
+          </criteria>
         </criteria>
-        <criterion test_ref="test_dir_permissions_audit_log" negate="true" />
-      </criteria>
-      <criterion test_ref="test_dir_permissions_var_log_audit" negate="true" />
-      <criteria operator="AND" comment="log_group in auditd.conf is not root">
-        <extend_definition comment="log_group in auditd.conf is not root"
-        definition_ref="auditd_conf_log_group_not_root" />
-        <criterion test_ref="test_dir_permissions_var_log_audit-non_root" negate="true" />
-      </criteria>
-      {{% else %}}
-      <criteria operator="AND" comment="log_file set">
-        <extend_definition comment="log_file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" />
-        <criterion test_ref="test_dir_permissions_audit_log" negate="true" />
+
       </criteria>
       <criteria operator="AND" comment="log_file not set">
-        <extend_definition comment="log_file not set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" />
-        <criterion test_ref="test_dir_permissions_var_log_audit" negate="true" />
+        <extend_definition comment="log file not set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" />
+
+        <criteria operator="OR">
+          <criteria operator="AND" comment="default log_file and log_group set to not root">
+            <extend_definition comment="log_group in auditd.conf is not set to root" definition_ref="auditd_conf_log_group_not_root" />
+            <criterion comment="default log_file and log_group set to non-root" test_ref="test_permissions_default_audit_log_directory_not_root"/>
+          </criteria>
+          <criteria operator="AND" comment="default log_file and log_group root or not set">
+            <extend_definition comment="log_group in auditd.conf is set to root or not set" definition_ref="auditd_conf_log_group_not_root" negate="true"/>
+            <criterion comment="default log_file and log_group root or not set" test_ref="test_permissions_default_audit_log_directory_root"/>
+          </criteria>
+        </criteria>
+
       </criteria>
-      {{% endif %}}
     </criteria>
   </definition>
 
+
+  <ind:textfilecontent54_object id="object_auditd_conf_log_group_configured" comment="log_group is set" version="1">
+    <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=[ ](\w+)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_auditd_conf_log_group_not_set" check="all" check_existence="none_exist" comment="log_group not set" version="1">
+    <ind:object object_ref="object_auditd_conf_log_group_configured" />
+  </ind:textfilecontent54_test>
+
   <local_variable id="audit_log_dir" datatype="string" version="1" comment="path to audit log directory">
     <regex_capture pattern="^(.*)\/([^\/]+$)">
       <variable_component var_ref="audit_log_file_path" />
     </regex_capture>
   </local_variable>
 
-  <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit mode 0700" id="test_dir_permissions_audit_log" version="1">
-    <unix:object object_ref="object_audit_log_directory" />
-    <unix:state state_ref="state_not_mode_0700" />
+  <!-- non default file and state 0700 -->
+  <unix:file_test check="all" check_existence="all_exist" comment="non default audit log dir mode 0700" id="test_permissions_audit_log_directory_root" version="1">
+    <unix:object object_ref="object_var_log_audit_directory_non_default_root" />
+    <unix:state state_ref="state_mode_0700" />
   </unix:file_test>
-  <unix:file_object comment="audit log files" id="object_audit_log_directory" version="1">
-    {{% if product not in ["ol8", "rhel8"] %}}
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-    {{% endif %}}
+  <unix:file_object comment="non default audit log dir" id="object_var_log_audit_directory_non_default_root" version="1">
     <unix:path operation="equals" var_ref="audit_log_dir" />
     <unix:filename xsi:nil="true" />
-    <filter action="include">state_not_mode_0700</filter>
   </unix:file_object>
 
-  <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit mode 0700" id="test_dir_permissions_var_log_audit" version="1">
-    <unix:object object_ref="object_var_log_audit_directory" />
-    <unix:state state_ref="state_not_mode_0700" />
+  <!-- non default file and state 0750 -->
+  <unix:file_test check="all" check_existence="all_exist" comment="non default audit log dir mode 0750" id="test_permissions_audit_log_directory_not_root" version="1">
+    <unix:object object_ref="object_var_log_audit_directory_non_default_not_root" />
+    <unix:state state_ref="state_mode_0750" />
   </unix:file_test>
-  <unix:file_object comment="/var/log/audit files" id="object_var_log_audit_directory" version="1">
-    {{% if product not in ["ol8", "rhel8"] %}}
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-    {{% endif %}}
-    <unix:path operation="equals">/var/log/audit</unix:path>
+  <unix:file_object comment="non default audit log dir" id="object_var_log_audit_directory_non_default_not_root" version="1">
+    <unix:path operation="equals" var_ref="audit_log_dir" />
     <unix:filename xsi:nil="true" />
-    <filter action="include">state_not_mode_0700</filter>
   </unix:file_object>
 
-  {{% if product not in ["ol8", "rhel8"] %}}
-  <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0750" id="test_dir_permissions_var_log_audit-non_root" version="1">
-    <unix:object object_ref="object_var_log_audit_directory-non_root" />
-    <unix:state state_ref="state_not_mode_0750" />
+  <!-- default file and state 0700 -->
+  <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit mode 0700" id="test_permissions_default_audit_log_directory_root" version="1">
+    <unix:object object_ref="object_var_log_audit_directory_root" />
+    <unix:state state_ref="state_mode_0700" />
   </unix:file_test>
-  <unix:file_object comment="/var/log/audit files" id="object_var_log_audit_directory-non_root" version="1">
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-    <unix:path operation="equals">/var/log/audit</unix:path>
+  <unix:file_object comment="/var/log/audit dir" id="object_var_log_audit_directory_root" version="1">
+    <unix:path>/var/log/audit</unix:path>
     <unix:filename xsi:nil="true" />
-    <filter action="include">state_not_mode_0750</filter>
   </unix:file_object>
 
-  <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0750" id="test_dir_permissions_audit_log-non_root" version="1">
-    <unix:object object_ref="object_audit_log_directory-non_root" />
-    <unix:state state_ref="state_not_mode_0750" />
+  <!-- default file and state 0750 -->
+  <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit mode 0750" id="test_permissions_default_audit_log_directory_not_root" version="1">
+    <unix:object object_ref="object_var_log_audit_directory_non_root" />
+    <unix:state state_ref="state_mode_0750" />
   </unix:file_test>
-  <unix:file_object comment="audit log files" id="object_audit_log_directory-non_root" version="1">
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-    <unix:path operation="equals" var_ref="audit_log_dir" />
-    <unix:filename xsi:nil="true" />
-    <filter action="include">state_not_mode_0750</filter>
+  <unix:file_object comment="/var/log/audit dir" id="object_var_log_audit_directory_non_root" version="1">
+    <unix:path>/var/log/audit</unix:path>
+    <unix:filename xsi:nil="true"/>
   </unix:file_object>
 
-  <unix:file_state id="state_not_mode_0750" version="1" operator="OR">
-    <!-- if any one of these is true then mode is NOT 0750 (hence the OR operator) -->
-    <unix:suid datatype="boolean">true</unix:suid>
-    <unix:sgid datatype="boolean">true</unix:sgid>
-    <unix:sticky datatype="boolean">true</unix:sticky>
-    <unix:gwrite datatype="boolean">true</unix:gwrite>
-    <unix:oread datatype="boolean">true</unix:oread>
-    <unix:owrite datatype="boolean">true</unix:owrite>
-    <unix:oexec datatype="boolean">true</unix:oexec>
+  <unix:file_state id="state_mode_0700" operator="AND" version="3">
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
+    <unix:uread datatype="boolean">true</unix:uread>
+    <unix:uwrite datatype="boolean">true</unix:uwrite>
+    <unix:uexec datatype="boolean">true</unix:uexec>
+    <unix:gread datatype="boolean">false</unix:gread>
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
+    <unix:gexec datatype="boolean">false</unix:gexec>
+    <unix:oread datatype="boolean">false</unix:oread>
+    <unix:owrite datatype="boolean">false</unix:owrite>
+    <unix:oexec datatype="boolean">false</unix:oexec>
   </unix:file_state>
-  {{% endif %}}
 
-  <unix:file_state id="state_not_mode_0700" version="1" operator="OR">
-    <!-- if any one of these is true then mode is NOT 0700 (hence the OR operator) -->
-    <unix:suid datatype="boolean">true</unix:suid>
-    <unix:sgid datatype="boolean">true</unix:sgid>
-    <unix:sticky datatype="boolean">true</unix:sticky>
+  <unix:file_state id="state_mode_0750" operator="AND" version="3">
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
+    <unix:uread datatype="boolean">true</unix:uread>
+    <unix:uwrite datatype="boolean">true</unix:uwrite>
+    <unix:uexec datatype="boolean">true</unix:uexec>
     <unix:gread datatype="boolean">true</unix:gread>
-    <unix:gwrite datatype="boolean">true</unix:gwrite>
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
     <unix:gexec datatype="boolean">true</unix:gexec>
-    <unix:oread datatype="boolean">true</unix:oread>
-    <unix:owrite datatype="boolean">true</unix:owrite>
-    <unix:oexec datatype="boolean">true</unix:oexec>
+    <unix:oread datatype="boolean">false</unix:oread>
+    <unix:owrite datatype="boolean">false</unix:owrite>
+    <unix:oexec datatype="boolean">false</unix:oexec>
   </unix:file_state>
-
 </def-group>