From 2f4ddb4297f2a14e2bde3b32f76347e2bbe2cb2d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 19 Aug 2021 09:47:42 -0500 Subject: [PATCH] Add new rule for RHEL-07-030330 and RHEL-08-030730 This new rule is copy of auditd_data_retention_space_left, but setup to allow for percentages. --- .../auditd_data_retention_space_left/rule.yml | 2 - .../ansible/shared.yml | 15 ++++++ .../bash/shared.sh | 7 +++ .../oval/shared.xml | 32 +++++++++++++ .../rule.yml | 47 +++++++++++++++++++ .../tests/no_percent_sign.fail.sh | 6 +++ .../space_left_greater_than_minimum.pass.sh | 6 +++ .../tests/space_left_minimum_value.pass.sh | 6 +++ .../tests/space_left_not_enough.fail.sh | 6 +++ .../tests/space_left_not_there.fail.sh | 6 +++ .../var_auditd_space_left_percentage.var | 15 ++++++ products/rhel7/profiles/stig.profile | 3 +- products/rhel8/profiles/stig.profile | 7 +-- shared/references/cce-redhat-avail.txt | 2 - .../data/profile_stability/rhel8/stig.profile | 3 +- .../profile_stability/rhel8/stig_gui.profile | 3 +- 16 files changed, 156 insertions(+), 10 deletions(-) create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index 7fd0470df8..a652d15d0d 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -39,8 +39,6 @@ references: pcidss: Req-10.7 srg: SRG-OS-000343-GPOS-00134 stigid@ol7: OL07-00-030330 - stigid@rhel7: RHEL-07-030330 - stigid@rhel8: RHEL-08-030730 stigid@sle12: SLES-12-020030 stigid@sle15: SLES-15-030700 stigid@ubuntu2004: UBTU-20-010217 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml new file mode 100644 index 0000000000..ea52773bd3 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml @@ -0,0 +1,15 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("var_auditd_space_left_percentage") }}} + +- name: Configure auditd space_left on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: "space_left = {{ var_auditd_space_left_percentage }}%" + regexp: '^\s*space_left\s*=\s*.*$' + state: present + create: yes + #notify: reload auditd diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh new file mode 100644 index 0000000000..6cc3e9ecbe --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_all +. /usr/share/scap-security-guide/remediation_functions +{{{ bash_instantiate_variables("var_auditd_space_left_percentage") }}} + +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml new file mode 100644 index 0000000000..2fcd222d29 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml @@ -0,0 +1,32 @@ + + + {{{ oval_metadata("space_left setting in /etc/audit/auditd.conf is set to at least a certain value") }}} + + + + + + + + + + + + + + /etc/audit/auditd.conf + + + ^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$ + 1 + + + + + + + + + + + diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml new file mode 100644 index 0000000000..ea9d9fcc6b --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml @@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: fedora,rhel7,rhel8,rhel9 + +title: 'Configure auditd space_left on Low Disk Space' + +description: |- + The auditd service can be configured to take an action + when disk space is running low but prior to running out of space completely. + Edit the file /etc/audit/auditd.conf. Add or modify the following line, + substituting PERCENTAGE appropriately: +
space_left = PERCENTAGE%
+ Set this value to at least 25 to cause the system to + notify the user of an issue. + +rationale: |- + Notifying administrators of an impending disk space problem may allow them to + take corrective action prior to any disruption. + +severity: medium + +identifiers: + cce@rhel7: CCE-86056-9 + cce@rhel8: CCE-86055-1 + +references: + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + disa: CCI-001855 + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.7 + srg: SRG-OS-000343-GPOS-00134 + stigid@rhel7: RHEL-07-030330 + stigid@rhel8: RHEL-08-030730 + vmmsrg: SRG-OS-000343-VMM-001240 + +ocil_clause: 'the system is not configured with a specific percentage to notify administrators of an issue' + +ocil: |- + Inspect /etc/audit/auditd.conf and locate the following line to + determine if the system is configured correctly: +
space_left PERCENTAGE%
+ diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh new file mode 100644 index 0000000000..2e90ce1d7b --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# variables = var_auditd_space_left_percentage=25 + +. $SHARED/auditd_utils.sh +prepare_auditd_test_enviroment +set_parameters_value /etc/audit/auditd.conf "space_left" "25" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh new file mode 100644 index 0000000000..135d6e4258 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# variables = var_auditd_space_left_percentage=25 + +. $SHARED/auditd_utils.sh +prepare_auditd_test_enviroment +set_parameters_value /etc/audit/auditd.conf "space_left" "35%" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh new file mode 100644 index 0000000000..10d652e80e --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# variables = var_auditd_space_left_percentage=25 + +. $SHARED/auditd_utils.sh +prepare_auditd_test_enviroment +set_parameters_value /etc/audit/auditd.conf "space_left" "25%" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh new file mode 100644 index 0000000000..0bf7694b15 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# variables = var_auditd_space_left_percentage=25 + +. $SHARED/auditd_utils.sh +prepare_auditd_test_enviroment +set_parameters_value /etc/audit/auditd.conf "space_left" "15%" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh new file mode 100644 index 0000000000..34ac5595c6 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# variables = var_auditd_space_left_percentage=25 + +. $SHARED/auditd_utils.sh +prepare_auditd_test_enviroment +delete_parameter /etc/audit/auditd.conf "space_left" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var new file mode 100644 index 0000000000..427a1d4bfa --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var @@ -0,0 +1,15 @@ +documentation_complete: true + +title: 'The percentage remaining in disk space before prompting space_left_action' + +description: 'The setting for space_left as a percentage in /etc/audit/auditd.conf' + +type: number + +interactive: true + +options: + 25pc: 25 + 50pc: 50 + 75pc: 75 + default: 25 diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index 9ca1360005..67e22982cd 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -50,6 +50,7 @@ selections: - var_removable_partition=dev_cdrom - var_auditd_action_mail_acct=root - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc - var_accounts_user_umask=077 - var_password_pam_retry=3 - var_accounts_max_concurrent_login_sessions=10 @@ -178,8 +179,8 @@ selections: - auditd_audispd_configure_remote_server - auditd_audispd_encrypt_sent_records - auditd_audispd_disk_full_action - - auditd_data_retention_space_left - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage - auditd_data_retention_action_mail_acct - audit_rules_suid_privilege_function - audit_rules_dac_modification_chown diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 36f384621a..10dbc1501b 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -65,7 +65,7 @@ selections: - var_auditd_action_mail_acct=root - var_time_service_set_maxpoll=18_hours - var_accounts_maximum_age_login_defs=60 - - var_auditd_space_left=250MB + - var_auditd_space_left_percentage=25pc - var_auditd_space_left_action=email - var_auditd_disk_error_action=halt - var_auditd_max_log_file_action=syslog @@ -922,8 +922,9 @@ selections: - rsyslog_encrypt_offload_actionsendstreamdriverauthmode # RHEL-08-030730 - # this rule expects configuration in MB instead percentage as how STIG demands - # - auditd_data_retention_space_left + - auditd_data_retention_space_left_percentage + + # RHEL-08-030731 - auditd_data_retention_space_left_action # RHEL-08-030740 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6c33c2e85f..fcb8125ca4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -170,8 +170,6 @@ CCE-86051-0 CCE-86052-8 CCE-86053-6 CCE-86054-4 -CCE-86055-1 -CCE-86056-9 CCE-86057-7 CCE-86058-5 CCE-86059-3 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index f3e6c4fa1a..09a5bc3174 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -140,6 +140,7 @@ selections: - auditd_data_retention_action_mail_acct - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action +- auditd_data_retention_space_left_percentage - auditd_local_events - auditd_log_format - auditd_name_format @@ -422,7 +423,7 @@ selections: - var_auditd_action_mail_acct=root - var_time_service_set_maxpoll=18_hours - var_accounts_maximum_age_login_defs=60 -- var_auditd_space_left=250MB +- var_auditd_space_left_percentage=25pc - var_auditd_space_left_action=email - var_auditd_disk_error_action=halt - var_auditd_max_log_file_action=syslog diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index b5b60349a8..5b631a3fe0 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -151,6 +151,7 @@ selections: - auditd_data_retention_action_mail_acct - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action +- auditd_data_retention_space_left_percentage - auditd_local_events - auditd_log_format - auditd_name_format @@ -432,7 +433,7 @@ selections: - var_auditd_action_mail_acct=root - var_time_service_set_maxpoll=18_hours - var_accounts_maximum_age_login_defs=60 -- var_auditd_space_left=250MB +- var_auditd_space_left_percentage=25pc - var_auditd_space_left_action=email - var_auditd_disk_error_action=halt - var_auditd_max_log_file_action=syslog