Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auid criteria to rules related to syscall audit rules #8327

Merged
merged 7 commits into from
Apr 6, 2022
Merged

Add auid criteria to rules related to syscall audit rules #8327

merged 7 commits into from
Apr 6, 2022

Conversation

Xeicker
Copy link
Contributor

@Xeicker Xeicker commented Mar 10, 2022

Description:

  • Added the auid criteria: -F auid>=1000 -F auid!=unset. To the rules audit_rules_kernel_module_loading_init, audit_rules_kernel_module_loading_finit and audit_rules_kernel_module_loading_delete

Rationale:

  • This is to make those rules compliant with DISA's STIG requirementes OL08-00-030360, OL08-00-030380 and OL08-00-030390 for ol8; and RHEL-08-030360 and RHEL-08-030390 for rhel8

@Xeicker
Add auid criteria to rule to meet OL08-00-030390
9633258 
This STIG ID requires that audit_rules_kernel_module_loading_delete,
the rule that complies it, also check for -F auid>=1000 -F auid!=unset
in the audit rule containing delete_module syscall. This applies to ol8

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Add auid criteria to rule to meet OL08-00-030380
c04d0fa 
This STIG ID requires that audit_rules_kernel_module_loading_finit,
the rule that complies it, also check for -F auid>=1000 -F auid!=unset
in the audit rule containing finit_module syscall. This applies to ol8

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Add auid criteria to rule to meet OL08-00-030360
a62d887 
This STIG ID requires that audit_rules_kernel_module_loading_init,
the rule that complies it, also check for -F auid>=1000 -F auid!=unset
in the audit rule containing init_module syscall. This applies to ol8

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Add auid criteria to rules required by rhel8
c8b9548 
STIG IDs RHEL-08-030360 and RHEL-08-030390 require that the rules
related with delete_module, init_module and finit_module also check for
-F auid>=1000 -F auid!=unset

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Mar 10, 2022
@openshift-ci
Copy link

openshift-ci bot commented Mar 10, 2022

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Open in Gitpod

@github-actions
Copy link

github-actions bot commented Mar 10, 2022
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete' differs:
--- old datastream
+++ new datastream
@@ -13,7 +13,9 @@
 do
 ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 OTHER_FILTERS=""
- AUID_FILTERS=""
+ 
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ 
 SYSCALL="delete_module"
 KEY="modules"
 SYSCALL_GROUPING="delete_module"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete' differs:
--- old datastream
+++ new datastream
@@ -50,7 +50,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -95,7 +95,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -104,7 +105,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -120,7 +122,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -139,7 +141,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -148,7 +151,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -183,7 +187,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -228,7 +232,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -237,7 +242,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -253,7 +259,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -272,7 +278,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -281,7 +288,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit' differs:
--- old datastream
+++ new datastream
@@ -13,7 +13,9 @@
 do
 ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 OTHER_FILTERS=""
- AUID_FILTERS=""
+ 
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ 
 SYSCALL="finit_module"
 KEY="modules"
 SYSCALL_GROUPING="init_module finit_module"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit' differs:
--- old datastream
+++ new datastream
@@ -52,7 +52,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -97,7 +97,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -106,7 +107,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -124,7 +126,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -143,7 +145,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -152,7 +155,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -189,7 +193,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -234,7 +238,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -243,7 +248,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -261,7 +267,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -280,7 +286,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -289,7 +296,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init' differs:
--- old datastream
+++ new datastream
@@ -13,7 +13,9 @@
 do
 ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 OTHER_FILTERS=""
- AUID_FILTERS=""
+ 
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ 
 SYSCALL="init_module"
 KEY="modules"
 SYSCALL_GROUPING="init_module finit_module"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init' differs:
--- old datastream
+++ new datastream
@@ -52,7 +52,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -97,7 +97,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -106,7 +107,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -124,7 +126,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -143,7 +145,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -152,7 +155,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -189,7 +193,7 @@
 find:
 paths: /etc/audit/rules.d
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: '*.rules'
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -234,7 +238,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -243,7 +248,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present
@@ -261,7 +267,7 @@
 find:
 paths: /etc/audit
 contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
- -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
 patterns: audit.rules
 register: find_command
 loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -280,7 +286,8 @@
 lineinfile:
 path: '{{ audit_file }}'
 regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
- | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
 line: \1\2\3{{ missing_syscalls | join("\3") }}\4
 backrefs: true
 state: present
@@ -289,7 +296,8 @@
 - name: Add the audit rule to {{ audit_file }}
 lineinfile:
 path: '{{ audit_file }}'
- line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=module-change
 create: true
 mode: o-rwx
 state: present

@vojtapolasek
Copy link
Collaborator

/ok-to-test

@vojtapolasek vojtapolasek self-assigned this Mar 24, 2022
@JAORMX
Copy link
Contributor

JAORMX commented Mar 25, 2022

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Mar 25, 2022
@ggbecker
Copy link
Member

I'm pushing for this change to be applied as well for STIG EL7. This way we don't need the jinja macros and it makes the content more accurate. Unfortunately the change takes some time to propagate so we will need to live with these ifs for some time.

@vojtapolasek
Copy link
Collaborator

/retest

@vojtapolasek vojtapolasek added the Update Rule Issues or pull requests related to Rules updates. label Mar 29, 2022
vojtapolasek
vojtapolasek requested changes Mar 29, 2022
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, thank you for the changes, they look sane.
However, it would be good if you could modify tests as well. You will have to create another set of tests. One will be for OL8 and RHEL8, other will be for the rest.
You can see example of such tests here:
https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/auditing/grub2_audit_argument/tests
Notice the

# platform = Red Hat Enterprise Linux 7

and similar lines at the top of test scenarios.

@Xeicker
Copy link
Contributor Author

Xeicker commented Mar 29, 2022

Hello, thank you for the changes, they look sane. However, it would be good if you could modify tests as well. You will have to create another set of tests. One will be for OL8 and RHEL8, other will be for the rest. You can see example of such tests here: https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/auditing/grub2_audit_argument/tests Notice the

# platform = Red Hat Enterprise Linux 7

and similar lines at the top of test scenarios.

I was considering to use JINJA instead, as in https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/tests/service_enabled.fail.sh

Because in this case there are many platforms that should be included in previous tests and only RHEL8 and OL8 for the new ones. So the JINJA approach would be easier

@vojtapolasek
Copy link
Collaborator

OK, that is a solution as well. Let's try and see.

@Xeicker
Update tests in audit_rules_kernel_module rules
55f2f34 
Include the auid filters in tests for
audit_rules_kernel_module_loading_delete,
audit_rules_kernel_module_loading_finit and
audit_rules_kernel_module_loading_init
so they include the updates in OL8 and RHEL8 requirements

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@vojtapolasek
Copy link
Collaborator

/retest

@vojtapolasek
Copy link
Collaborator

Hello,
thank you for tests. There is one more thing to get done - test scenarios have to account for the case when the directory /etc/audit/rules.d does not exist. Can you add some condition at the begining of scenarios to create it?
Thank you.

@vojtapolasek
Copy link
Collaborator

/retest

@Xeicker
Update tests in audit_rules_kernel_module rules
de702fb 
Include the requirement of audit package in
audit_rules_kernel_module_loading_delete,
audit_rules_kernel_module_loading_finit and
audit_rules_kernel_module_loading_init

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update ansible in audit_rules_kernel_module rules
c0ae24e 
Update the auid filters in ansible for
audit_rules_kernel_module_loading_delete,
audit_rules_kernel_module_loading_finit and
audit_rules_kernel_module_loading_init

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@vojtapolasek
Copy link
Collaborator

/retest

vojtapolasek
vojtapolasek approved these changes Apr 5, 2022
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am approving this. thank you for all the changes. the failing tests are not related to the rules you have modified, it might be problemin the algorithm which selects rules to test.
Let's wait for the Openshift CI.

@openshift-ci
Copy link

openshift-ci bot commented Apr 5, 2022

@Xeicker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-high c0ae24e link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate c0ae24e link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@vojtapolasek
Copy link
Collaborator

There are temporary problems with Openshift CI and rule modifications do not touch OCP content. Merging.

@vojtapolasek vojtapolasek merged commit fa81eb1 into ComplianceAsCode:master Apr 6, 2022
@vojtapolasek vojtapolasek mentioned this pull request Apr 6, 2022
Open
@yuumasato yuumasato added this to the 0.1.62 milestone Apr 14, 2022
@yuumasato yuumasato mentioned this pull request Apr 14, 2022
Merged
@marcusburghardt marcusburghardt added the Test Suite Update in Test Suite. label Jun 23, 2022
alanmcanonical pushed a commit to alanmcanonical/CaC_content that referenced this pull request Aug 14, 2024
@mpurg @dodys
Checked out audit_rules_kernel_module_loading_init
6e03cfa 
Too many disruptive changes to cherry pick.

Only in master:
- 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt]
- 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub]
- 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing]
- 2804dfb|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket]
- 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le]
- c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek]
- bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek]
- 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing]
- ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala]
- 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar]
- 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket]
- acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub]
- 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair]
- d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair]
- 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek]
- 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket]
- e3886d4|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt]
- 9f273f2|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto]
- 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub]
- 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez]
- 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek]
- 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li]
- 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket]
- e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket]
- fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar]
- 95f767a|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio]
- 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio]
- 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez]
- a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato]
- b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li]
- 95cfa85|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt]
- 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket]
- 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar]
- 7a25ff4|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li]
- 32c8074|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket]
- fa81eb1|2022-04-06|2022-04-06 Merge pull request ComplianceAsCode#8327 from Xeicker/ol08-00-030390 [GitHub]
- c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar]
- de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- fa8680a|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev]
- c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar]
- a62d887|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar]
- fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez]
- f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez]
- a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket]
- f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno]
- 5ad8290|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino]
- 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal]

Only in focal:
- 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical]
- f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical]
- 60345d7|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa]
- 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
ok-to-test Used by openshift-ci bot. Test Suite Update in Test Suite. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.62
Development

Successfully merging this pull request may close these issues.
6 participants
@Xeicker @vojtapolasek @JAORMX @ggbecker @marcusburghardt @yuumasato