From d1cafd904fc1759ec3f798b0f7e5edd1f6485589 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 22 Nov 2023 12:36:01 +0100 Subject: [PATCH] Checked out audit_rules_kernel_module_loading_finit Too many disruptive changes to cherry pick. Only in master: - 91023c97d5|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685d1d|2023-10-31|2023-10-31 Merge pull request #11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231d6d|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 0bc66b31db|2023-09-21|2023-10-18 Add RHEL 9 STIG IDs [Matthew Burket] - 92e78825d2|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d8f7|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9885|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f5d7|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe80d3|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315eac|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 6f8a2ee68b|2023-04-25|2023-04-27 Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 [Marcus Burghardt] - 4f18ae7d3a|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1a5e|2023-04-11|2023-04-11 Merge pull request #10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9880|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6333|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25b9b|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd0f7|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - b77974cabd|2023-02-09|2023-02-14 Fix `>` to `>` for audit rules in RHEL 9 STIG [Matthew Burket] - 45f48ceed7|2023-02-06|2023-02-14 Escape < and > in product specific content [Matthew Burket] - 3d711c8b36|2022-11-30|2022-11-30 Merge pull request #9897 from litios/master [GitHub] - 795f076c3b|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6291|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d539|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af472a5|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a2d9|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29fbf|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 7f5b811d66|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad537|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee989|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd27bc|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - f035005456|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux2 full name error [YiLin.Li] - 41ea38be8f|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538dfc48|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 763df44ab3|2022-05-09|2022-06-16 Clean and update OL8 STIG profile [Edgar Aguilar] - 870a7f024b|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_finit [Matthew Burket] - c0ae24e95c|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb722|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34b20|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - c8b9548f03|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - c04d0fa92f|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030380 [Edgar Aguilar] - d3756a772e|2022-02-15|2022-02-15 Group RHEL7 STIG audit rules. [Gabriel Becker] - dd8af26bf3|2022-02-07|2022-02-08 Assign single STIGID to multiples syscalls rules of *init group. [Gabriel Becker] - d29079cea0|2022-02-03|2022-02-04 Update STIG IDs to meet ol7 v2r6 [Edgar Aguilar] - fb60278d83|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de65f|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63af04|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8dbb4d|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 2214054aec|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4c16|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e0148e0|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 9fbf7c408d|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3a83|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa] --- .../ansible/shared.yml | 24 +++++++++---- .../bash/shared.sh | 11 +++--- .../kubernetes/shared.yml | 2 +- .../oval/shared.xml | 16 +++++++++ .../policy/stig/shared.yml | 29 +++++++++++++++ .../rule.yml | 36 +++++++++++++------ .../tests/correct_rules.pass.sh | 9 +++-- .../tests/default.fail.sh | 2 +- .../tests/missing_auid_filter.fail.sh | 8 +++++ .../tests/ocp4/e2e.yml | 2 +- 10 files changed, 112 insertions(+), 27 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/missing_auid_filter.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 87cf09efb45..ced862e88a8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -1,21 +1,33 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # complexity = low # disruption = low # strategy = configure +{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} +{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} +{{% else %}} +{{% set auid_filters = "" %}} +{{% endif %}} + # What architecture are we on? - name: Set architecture for audit finit_module tasks set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + audit_arch: "b64" + when: + - ansible_architecture == "aarch64" or + ansible_architecture == "ppc64" or + ansible_architecture == "ppc64le" or + ansible_architecture == "s390x" or + ansible_architecture == "x86_64" - name: Perform remediation of Audit rules for finit_module for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["finit_module"], key="module-change", syscall_grouping=["init_module","finit_module"], @@ -23,7 +35,7 @@ {{{ ansible_audit_auditctl_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["finit_module"], key="module-change", syscall_grouping=["init_module","finit_module"], @@ -34,7 +46,7 @@ {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["finit_module"], key="module-change", syscall_grouping=["init_module","finit_module"], @@ -42,7 +54,7 @@ {{{ ansible_audit_auditctl_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["finit_module"], key="module-change", syscall_grouping=["init_module","finit_module"], diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh index 1b2854d9c61..02687799b89 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh @@ -1,8 +1,5 @@ # platform = multi_platform_all -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => @@ -15,11 +12,15 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + {{% else %}} AUID_FILTERS="" + {{% endif %}} SYSCALL="finit_module" KEY="modules" SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" - fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}} + {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}} done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml index 90d7d43d540..639d76a2172 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml @@ -12,4 +12,4 @@ spec: source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A mode: 0600 path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules - overwrite: true \ No newline at end of file + overwrite: true diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml index f27650d0f88..f432be0cf15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml @@ -36,7 +36,11 @@ ^/etc/audit/rules\.d/.*\.rules$ + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -45,7 +49,11 @@ ^/etc/audit/rules\.d/.*\.rules$ + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -54,7 +62,11 @@ /etc/audit/audit.rules + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -63,7 +75,11 @@ /etc/audit/audit.rules + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/policy/stig/shared.yml new file mode 100644 index 00000000000..9e56359b48c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/policy/stig/shared.yml @@ -0,0 +1,29 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the init_module and finit_module system calls. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "init_module" and "finit_module" syscalls with the following command: + + $ sudo auditctl -l | grep init_module + + -a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng + -a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng + + If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, or any of the lines returned are commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: + + -a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng + -a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index e79c7653b82..f34eb590089 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' @@ -9,12 +9,19 @@ description: |- to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + 
-a always,exit -F arch=ARCH -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
+ {{% else %}} 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
- If the auditd daemon is configured to use the auditctl utility to read audit + {{% endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + 
-a always,exit -F arch=ARCH -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
+ {{% else %}} 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
+ {{% endif %}} rationale: |- The addition/removal of kernel modules can be used to alter the behavior of @@ -32,12 +39,15 @@ identifiers: cce@sle15: CCE-85749-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 + cis@alinux2: 4.1.17 cis@rhel7: 4.1.17 - cis@rhel8: 4.1.15 + cis@rhel8: 4.1.3.19 + cis@rhel9: 4.1.3.19 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -47,13 +57,19 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 - stigid@ol7: OL07-00-030821 - stigid@rhel7: RHEL-07-030821 - stigid@rhel8: RHEL-08-030380 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 + stigid@ol7: OL07-00-030820 + stigid@ol8: OL08-00-030360 + stigid@rhel7: RHEL-07-030820 + stigid@rhel8: RHEL-08-030360 + stigid@rhel9: RHEL-09-654080 stigid@sle12: SLES-12-020740 stigid@sle15: SLES-15-030530 - stigid@ubuntu2004: UBTU-20-010180 - vmmsrg: SRG-OS-000477-VMM-001970 + stigid@ubuntu2004: UBTU-20-010179 {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} + +fixtext: |- + {{{ fixtext_audit_rules("finit_module", "module_chng") | indent(4) }}} + +srg_requirement: '{{{ srg_requirement_audit_command("finit_module") }}}' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh index 69f50da42d0..edc7229329f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh @@ -1,7 +1,10 @@ #!/bin/bash +# packages = audit -# packages = {{{ ssgts_package("audit") }}} - +{{% if "ol" in product or 'rhel' in product %}} +echo "-a always,exit -F arch=b32 -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules +echo "-a always,exit -F arch=b64 -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules +{{% else %}} echo "-a always,exit -F arch=b32 -S finit_module -k modules" >> /etc/audit/rules.d/modules.rules echo "-a always,exit -F arch=b64 -S finit_module -k modules" >> /etc/audit/rules.d/modules.rules - +{{% endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh index c4689b5a18b..6d0cf84e52e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # remediation = bash -# packages = {{{ ssgts_package("audit") }}} +# packages = audit rm -f /etc/audit/rules.d/* > /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/missing_auid_filter.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/missing_auid_filter.fail.sh new file mode 100644 index 00000000000..deb2217dea1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/missing_auid_filter.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 8 +# packages = audit + +rm -f /etc/audit/rules.d/* + +echo "-a always,exit -F arch=b32 -S finit_module -k modules" >> /etc/audit/rules.d/modules.rules +echo "-a always,exit -F arch=b64 -S finit_module -k modules" >> /etc/audit/rules.d/modules.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/ocp4/e2e.yml index b5bc081590c..fd9b313e87b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/ocp4/e2e.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/ocp4/e2e.yml @@ -1,3 +1,3 @@ --- default_result: FAIL -result_after_remediation: PASS \ No newline at end of file +result_after_remediation: PASS