From fdc04fed4ae88d0114540a524f5170b19e2b0d19 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 28 Apr 2021 17:17:23 +0200 Subject: [PATCH 01/21] Enable audit rules in RHEL8 STIG. --- .../audit_rules_execution_chacl/rule.yml | 2 +- .../audit_rules_execution_setfacl/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- products/rhel8/profiles/stig.profile | 171 +++++++++++------- 6 files changed, 110 insertions(+), 71 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 8c8b0cbda8..28125b692b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004 +prodtype: rhel8,sle12,sle15,ubuntu2004 title: 'Record Any Attempts to Run chacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index dcd62891f1..43fe86106c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004 +prodtype: rhel8,sle12,sle15,ubuntu2004 title: 'Record Any Attempts to Run setfacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index d2ff46792c..dbba6f8636 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004 +prodtype: rhel8,sle12,sle15,ubuntu2004 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml index 58d0aef7a5..b9f68d0712 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004 +prodtype: rhel8,sle12,sle15,ubuntu2004 title: 'Record Any Attempts to Run ssh-agent' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index 6fa14649be..b4c8a8f2cb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004 +prodtype: rhel8,sle12,sle15,ubuntu2004 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index f66b2a24a7..c3eee7fae0 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -652,167 +652,206 @@ selections: # ************ # # RHEL-08-030121 - # - audit_rules_immutable + - audit_rules_immutable # RHEL-08-030122 - # - audit_immutable_login_uids + - audit_immutable_login_uids # RHEL-08-030130 - # - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_shadow # RHEL-08-030140 - # - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_opasswd # RHEL-08-030150 - # - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_passwd # RHEL-08-030160 - # - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_gshadow # RHEL-08-030170 - # - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_group - # RHEL-08-030171, RHEL-08-030172 + # RHEL-08-030171 + # should be split # - audit_rules_sysadmin_actions + # RHEL-08-030172 + - audit_rules_sysadmin_actions + # RHEL-08-030180 - package_audit_installed - service_auditd_enabled # RHEL-08-030190 - # - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_su + + # RHEL-08-030200 + - audit_rules_dac_modification_lremovexattr + + # RHEL-08-030210 + - audit_rules_dac_modification_removexattr + + # RHEL-08-030220 + - audit_rules_dac_modification_lsetxattr - # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240 - # - audit_perm_change_failed - # - audit_perm_change_success + # RHEL-08-030230 + - audit_rules_dac_modification_fsetxattr + + # RHEL-08-030240 + - audit_rules_dac_modification_fremovexattr # RHEL-08-030250 - # - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chage # RHEL-08-030260 - # - audit_rules_execution_chcon + - audit_rules_execution_chcon # RHEL-08-030270 - # - audit_perm_change_failed - # - audit_perm_change_success + - audit_rules_dac_modification_setxattr # RHEL-08-030280 + - audit_rules_privileged_commands_ssh_agent + + # RHEL-08-030290 + - audit_rules_privileged_commands_passwd - # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301 - # - audit_ospp_general + # RHEL-08-030300 + - audit_rules_privileged_commands_mount + + # RHEL-08-030301 + - audit_rules_privileged_commands_umount # RHEL-08-030302 - # - audit_rules_media_export + - audit_rules_media_export # RHEL-08-030310 + # missing rule # RHEL-08-030311 - # - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postdrop # RHEL-08-030312 - # - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_postqueue # RHEL-08-030313 - # - audit_rules_execution_semanage + - audit_rules_execution_semanage # RHEL-08-030314 - # - audit_rules_execution_setfiles + - audit_rules_execution_setfiles # RHEL-08-030315 - # - audit_ospp_general + - audit_rules_privileged_commands_userhelper # RHEL-08-030316 - # - audit_rules_execution_setsebool + - audit_rules_execution_setsebool # RHEL-08-030317 - # - audit_ospp_general + - audit_rules_privileged_commands_unix_chkpwd # RHEL-08-030320 - # - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_ssh_keysign # RHEL-08-030330 + - audit_rules_execution_setfacl # RHEL-08-030340 - # - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_pam_timestamp_check # RHEL-08-030350 - # - audit_ospp_general + - audit_rules_privileged_commands_newgrp # RHEL-08-030360 - # - audit_module_load + - audit_rules_kernel_module_loading_init + + # RHEL-08-030361 + - audit_rules_file_deletion_events_rename - # RHEL-08-030361, RHEL-08-030362 - # - audit_delete_failed - # - audit_delete_success + # RHEL-08-030362 + - audit_rules_file_deletion_events_renameat # RHEL-08-030363 + - audit_rules_file_deletion_events_rmdir - # RHEL-08-030364, RHEL-08-030365 - # - audit_delete_failed - # - audit_delete_success + # RHEL-08-030364 + - audit_rules_file_deletion_events_unlink + + # RHEL-08-030365 + - audit_rules_file_deletion_events_unlinkat # RHEL-08-030370 - # - audit_ospp_general + - audit_rules_privileged_commands_gpasswd + + # RHEL-08-030380 + - audit_rules_kernel_module_loading_finit - # RHEL-08-030380, RHEL-08-030390 - # - audit_module_load + # RHEL-08-030390 + - audit_rules_kernel_module_loading_delete # RHEL-08-030400 - # - audit_ospp_general + - audit_rules_privileged_commands_crontab # RHEL-08-030410 - # - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_chsh # RHEL-08-030420 - # - audit_modify_failed - # - audit_modify_success + - audit_rules_unsuccessful_file_modification_truncate + + # RHEL-08-030430 + - audit_rules_unsuccessful_file_modification_openat + + # RHEL-08-030440 + - audit_rules_unsuccessful_file_modification_open - # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450 - # - audit_create_failed - # - audit_create_success - # - audit_modify_failed - # - audit_modify_success - # - audit_access_failed - # - audit_access_success + # RHEL-08-030450 + - audit_rules_unsuccessful_file_modification_open_by_handle_at # RHEL-08-030460 - # - audit_modify_failed - # - audit_modify_success + - audit_rules_unsuccessful_file_modification_ftruncate # RHEL-08-030470 - # - audit_create_failed - # - audit_create_success + - audit_rules_unsuccessful_file_modification_creat # RHEL-08-030480 - # - audit_owner_change_failed - # - audit_owner_change_success + - audit_rules_dac_modification_chown # RHEL-08-030490 - # - audit_perm_change_failed - # - audit_perm_change_success + - audit_rules_dac_modification_chmod + + # RHEL-08-030500 + - audit_rules_dac_modification_lchown + + # RHEL-08-030510 + - audit_rules_dac_modification_fchownat + + # RHEL-08-030520 + - audit_rules_dac_modification_fchown - # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520 - # - audit_owner_change_failed - # - audit_owner_change_success + # RHEL-08-030530 + - audit_rules_dac_modification_fchmodat - # RHEL-08-030530, RHEL-08-030540 - # - audit_perm_change_failed - # - audit_perm_change_success + # RHEL-08-030540 + - audit_rules_dac_modification_fchmod # RHEL-08-030550 - # - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudo # RHEL-08-030560 + - audit_rules_privileged_commands_usermod # RHEL-08-030570 + - audit_rules_execution_chacl # RHEL-08-030580 + - audit_rules_privileged_commands_kmod # RHEL-08-030590 + # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be + # implemented as it is the one that configures a different patch for the events of failing locks # - audit_rules_login_events_faillock # RHEL-08-030600 - # - audit_rules_login_events_lastlog + - audit_rules_login_events_lastlog # RHEL-08-030601 - grub2_audit_argument From e88a8ad0bece18a8b7dcd350af9706134c827458 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 28 Apr 2021 18:00:18 +0200 Subject: [PATCH 02/21] Update audit template to include perm=x for binaries. --- .../audit_rules_privileged_commands/ansible.template | 2 +- .../templates/audit_rules_privileged_commands/bash.template | 2 +- .../templates/audit_rules_privileged_commands/oval.template | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index 0a0f06fba2..ec7b7d7605 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -26,7 +26,7 @@ - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["rhel8", "sle12", "sle15"] %}} - name: Inserts/replaces the {{{ NAME }}} rule in rules.d lineinfile: diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 85dbc9b828..100a4770bf 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -7,7 +7,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" -FULL_RULE="-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged" +FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template index c68df7671f..151a9d5d47 100644 --- a/shared/templates/audit_rules_privileged_commands/oval.template +++ b/shared/templates/audit_rules_privileged_commands/oval.template @@ -23,7 +23,7 @@ ^/etc/audit/rules\.d/.*\.rules$ -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["rhel8", "sle12", "sle15"] %}} ^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -36,7 +36,7 @@ /etc/audit/audit.rules -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["rhel8", "sle12", "sle15"] %}} ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ From 78134285266b3d559d8eb89d9dd4b68d37de7a26 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 28 Apr 2021 18:01:57 +0200 Subject: [PATCH 03/21] Remove remediation that copies entire ospp audit rules file. --- .../bash/shared.sh | 6 ------ .../bash/shared.sh | 6 ------ .../bash/shared.sh | 6 ------ 3 files changed, 18 deletions(-) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh deleted file mode 100644 index c93a8d8805..0000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux -# -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - -create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh deleted file mode 100644 index c93a8d8805..0000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux -# -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - -create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh deleted file mode 100644 index 1e021c4f80..0000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel -# -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - -create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules From e6cb5c196e18d9dddf4c1754a438e4a6b8f8b214 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 28 Apr 2021 18:02:46 +0200 Subject: [PATCH 04/21] Use audit template in kmod privileged command. Make SLE content specific to their product. --- .../ansible/{shared.yml => sle12.yml} | 0 .../ansible/sle15.yml | 42 +++++++++++++++++++ .../oval/{shared.xml => sle12.xml} | 0 .../oval/sle15.xml | 39 +++++++++++++++++ .../rule.yml | 5 +++ 5 files changed, 86 insertions(+) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/{shared.yml => sle12.yml} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/{shared.xml => sle12.xml} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml new file mode 100644 index 0000000000..6d128bc207 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml @@ -0,0 +1,42 @@ +# platform = multi_platform_sle +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Service facts + service_facts: + +- name: Check the rules script being used + command: + grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + +- name: Update kmod in /etc/audit/rules.d/audit.rules + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: '-w /usr/bin/kmod -p x -k modules' + create: yes + when: + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_kmod_update_result + +- name: Update kmod in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '-w /usr/bin/kmod -p x -k modules' + create: yes + when: + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_kmod_update_result + +- name: Restart auditd.service + systemd: + name: auditd.service + state: restarted + when: + - (augenrules_audit_rules_kmod_update_result.changed or + auditctl_audit_rules_kmod_update_result.changed) + - ansible_facts.services["auditd.service"].state == "running" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml new file mode 100644 index 0000000000..4fb3d2fc1c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml @@ -0,0 +1,39 @@ + + + {{{ oval_metadata("Ensure audit rule for all uses of the kmod command is enabled.") }}} + + + + + + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index dbba6f8636..168d5c51fc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -53,3 +53,8 @@ ocil: |- return a line, or the line is commented out, this is a finding. platform: machine + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/bin/kmod From 12e793f8340a48418214e73e05248e259c7d16b5 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 28 Apr 2021 18:56:03 +0200 Subject: [PATCH 05/21] Extend audit_rules_dac_modification to support auid=0 checking. --- .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../bash.template | 16 +++++- .../oval.template | 53 +++++++++++++++++++ .../audit_rules_dac_modification/template.py | 7 +++ 9 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 shared/templates/audit_rules_dac_modification/template.py diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index d5ff634e95..294a7ebfd2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -78,3 +78,4 @@ template: name: audit_rules_dac_modification vars: attr: fremovexattr + check_root_user: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 034a22a987..9b01a07515 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -73,3 +73,4 @@ template: name: audit_rules_dac_modification vars: attr: fsetxattr + check_root_user: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 2245a13e11..577af632aa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -78,3 +78,4 @@ template: name: audit_rules_dac_modification vars: attr: lremovexattr + check_root_user: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index 6218e6fc10..d6be12af63 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -71,3 +71,4 @@ template: name: audit_rules_dac_modification vars: attr: lsetxattr + check_root_user: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index 6565d3fcc2..982d6d377c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -77,3 +77,4 @@ template: name: audit_rules_dac_modification vars: attr: removexattr + check_root_user: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 7babe9d2a7..71c31e2d15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -73,3 +73,4 @@ template: name: audit_rules_dac_modification vars: attr: setxattr + check_root_user: "true" diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template index f0d3b6978a..a10a9145b2 100644 --- a/shared/templates/audit_rules_dac_modification/bash.template +++ b/shared/templates/audit_rules_dac_modification/bash.template @@ -9,7 +9,7 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*" + PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" @@ -17,3 +17,17 @@ do fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done + + +{{% if CHECK_ROOT_USER %}} +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done +{{% endif %}} diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template index 5b1bf5dc6d..6e02cc7f09 100644 --- a/shared/templates/audit_rules_dac_modification/oval.template +++ b/shared/templates/audit_rules_dac_modification/oval.template @@ -7,11 +7,19 @@ +{{% if CHECK_ROOT_USER %}} + +{{% endif %}} + +{{% if CHECK_ROOT_USER %}} + +{{% endif %}} + @@ -19,11 +27,17 @@ +{{% if CHECK_ROOT_USER %}} + +{{% endif %}} +{{% if CHECK_ROOT_USER %}} + +{{% endif %}} @@ -66,4 +80,43 @@ 1 +{{% if CHECK_ROOT_USER %}} + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + +{{% endif %}} + diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py new file mode 100644 index 0000000000..e12e9c27e5 --- /dev/null +++ b/shared/templates/audit_rules_dac_modification/template.py @@ -0,0 +1,7 @@ +from ssg.utils import parse_template_boolean_value + + +def preprocess(data, lang): + data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) + + return data From af8b663e00889010ac4d99fb0988aacf6b3ce651 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 17 May 2021 18:07:30 +0200 Subject: [PATCH 06/21] Simplify perm=x code around audit_rules_privileged_commands template. Also change the OVAL check regex to make it mandatory by removing the ? character from the regex. --- .../oval.template | 4 +-- .../ansible.template | 26 ++++--------------- .../bash.template | 5 +++- .../oval.template | 15 ++++------- 4 files changed, 16 insertions(+), 34 deletions(-) diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template index 6e02cc7f09..8f30bef022 100644 --- a/shared/templates/audit_rules_dac_modification/oval.template +++ b/shared/templates/audit_rules_dac_modification/oval.template @@ -10,14 +10,14 @@ {{% if CHECK_ROOT_USER %}} {{% endif %}} - + {{% if CHECK_ROOT_USER %}} - + {{% endif %}} diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index ec7b7d7605..a245de6673 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,3 +1,6 @@ +{{%- if product in ["rhel8", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict @@ -26,12 +29,11 @@ - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 -{{% if product in ["rhel8", "sle12", "sle15"] %}} - name: Inserts/replaces the {{{ NAME }}} rule in rules.d lineinfile: path: "{{ all_files[0] }}" - line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' + line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' create: yes # Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules @@ -39,23 +41,5 @@ - name: Inserts/replaces the {{{ NAME }}} rule in audit.rules lineinfile: path: /etc/audit/audit.rules - line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' + line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' create: yes - -{{% else %}} - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d - lineinfile: - path: "{{ all_files[0] }}" - line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' - create: yes - -# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules - -- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' - create: yes - -{{% endif %}} diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 100a4770bf..2b3795674f 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,3 +1,6 @@ +{{%- if product in ["rhel8", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # Include source function library. @@ -7,7 +10,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" -FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" +FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template index 151a9d5d47..8e3919ca66 100644 --- a/shared/templates/audit_rules_privileged_commands/oval.template +++ b/shared/templates/audit_rules_privileged_commands/oval.template @@ -1,3 +1,6 @@ +{{%- if product in ["rhel8", "sle12", "sle15"] %}} + {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} +{{%- endif %}} {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}} @@ -23,11 +26,7 @@ ^/etc/audit/rules\.d/.*\.rules$ -{{% if product in ["rhel8", "sle12", "sle15"] %}} - ^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -{{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -{{% endif %}} + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -36,11 +35,7 @@ /etc/audit/audit.rules -{{% if product in ["rhel8", "sle12", "sle15"] %}} - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -{{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -{{% endif %}} + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 From 4cf80fd7eff49d6e14852947e76a302ca2993db7 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 30 Jul 2021 15:04:14 +0200 Subject: [PATCH 07/21] Fix audit bash remediation to remove the auid!=unset when using auid=0. --- shared/templates/audit_rules_dac_modification/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template index a10a9145b2..d64d264635 100644 --- a/shared/templates/audit_rules_dac_modification/bash.template +++ b/shared/templates/audit_rules_dac_modification/bash.template @@ -24,7 +24,7 @@ for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" GROUP="perm_mod" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" From 0833b43bfa039c4ee661049fb25b86ef3854b614 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 30 Jul 2021 15:04:55 +0200 Subject: [PATCH 08/21] Update audit_rules_dac_modification ansible remediation with auid=0 fix. --- .../ansible.template | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index 70101ca777..d048978456 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -40,12 +40,29 @@ line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" create: yes +{{%- if CHECK_ROOT_USER %}} +- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86 + lineinfile: + path: "{{ all_files[0] }}" + line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" + create: yes +{{%- endif %}} + - name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" create: yes when: audit_arch is defined and audit_arch == 'b64' + +{{%- if CHECK_ROOT_USER %}} +- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64 + lineinfile: + path: "{{ all_files[0] }}" + line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" + create: yes + when: audit_arch is defined and audit_arch == 'b64' +{{%- endif %}} # # Inserts/replaces the rule in /etc/audit/audit.rules # @@ -56,6 +73,15 @@ dest: /etc/audit/audit.rules create: yes +{{%- if CHECK_ROOT_USER %}} +- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86 + lineinfile: + line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" + state: present + dest: /etc/audit/audit.rules + create: yes +{{%- endif %}} + - name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" @@ -63,3 +89,13 @@ dest: /etc/audit/audit.rules create: yes when: audit_arch is defined and audit_arch == 'b64' + +{{%- if CHECK_ROOT_USER %}} +- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64 + lineinfile: + line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" + state: present + dest: /etc/audit/audit.rules + create: yes + when: audit_arch is defined and audit_arch == 'b64' +{{%- endif %}} From 314251db8fbff07ac4b796944381f9bb1eef05c2 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 30 Jul 2021 15:05:42 +0200 Subject: [PATCH 09/21] Update audit_rules_dac_modification rules description. Make the check_user_root template parameter only applicable to RHEL8. --- .../rule.yml | 14 +++++++++++++- .../rule.yml | 14 +++++++++++++- .../rule.yml | 14 +++++++++++++- .../rule.yml | 14 +++++++++++++- .../rule.yml | 14 +++++++++++++- .../audit_rules_dac_modification_setxattr/rule.yml | 14 +++++++++++++- 6 files changed, 78 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 294a7ebfd2..e1a2492c4c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -11,17 +11,29 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -78,4 +90,4 @@ template: name: audit_rules_dac_modification vars: attr: fremovexattr - check_root_user: "true" + check_root_user@rhel8: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 9b01a07515..4c27cbf7fb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -9,14 +9,26 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -73,4 +85,4 @@ template: name: audit_rules_dac_modification vars: attr: fsetxattr - check_root_user: "true" + check_root_user@rhel8: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 577af632aa..ad034bc570 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -11,17 +11,29 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -78,4 +90,4 @@ template: name: audit_rules_dac_modification vars: attr: lremovexattr - check_root_user: "true" + check_root_user@rhel8: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index d6be12af63..a3895bd4c7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -9,14 +9,26 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -71,4 +83,4 @@ template: name: audit_rules_dac_modification vars: attr: lsetxattr - check_root_user: "true" + check_root_user@rhel8: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index 982d6d377c..eee86b99de 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -10,17 +10,29 @@ description: |- program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -77,4 +89,4 @@ template: name: audit_rules_dac_modification vars: attr: removexattr - check_root_user: "true" + check_root_user@rhel8: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 71c31e2d15..4a90ed9f96 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -9,14 +9,26 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+{{%- if product in ["rhel8"] %}} +
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+{{%- endif %}} rationale: |- The changing of file permissions could indicate that a user is attempting to @@ -73,4 +85,4 @@ template: name: audit_rules_dac_modification vars: attr: setxattr - check_root_user: "true" + check_root_user@rhel8: "true" From 48ce4b6e4803f92291c44acc990bd6a61baf4128 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 30 Jul 2021 16:54:48 +0200 Subject: [PATCH 10/21] Remove rule that is selected twice in RHEL8 STIG profile. It's already part of the following STIG id: # RHEL-08-010560 - service_auditd_enabled --- products/rhel8/profiles/stig.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index c3eee7fae0..3cbb4796ac 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -681,7 +681,6 @@ selections: # RHEL-08-030180 - package_audit_installed - - service_auditd_enabled # RHEL-08-030190 - audit_rules_privileged_commands_su From 7f23cee71a3fc1791b26c4e59339d73063fe867e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 2 Aug 2021 15:36:55 +0200 Subject: [PATCH 11/21] Fix RHEL8 STIG id references in audit rules. --- .../audit_rules_dac_modification_chmod/rule.yml | 3 ++- .../audit_rules_dac_modification_chown/rule.yml | 3 ++- .../audit_rules_dac_modification_fchmod/rule.yml | 3 ++- .../audit_rules_dac_modification_fchmodat/rule.yml | 3 ++- .../audit_rules_dac_modification_fchown/rule.yml | 3 ++- .../audit_rules_dac_modification_fchownat/rule.yml | 3 ++- .../audit_rules_dac_modification_fremovexattr/rule.yml | 3 ++- .../audit_rules_dac_modification_fsetxattr/rule.yml | 3 ++- .../audit_rules_dac_modification_lchown/rule.yml | 3 ++- .../audit_rules_dac_modification_lremovexattr/rule.yml | 3 ++- .../audit_rules_dac_modification_lsetxattr/rule.yml | 3 ++- .../audit_rules_dac_modification_removexattr/rule.yml | 5 +++-- .../audit_rules_dac_modification_setxattr/rule.yml | 3 ++- .../audit_rules_execution_chacl/rule.yml | 4 +++- .../audit_rules_execution_setfacl/rule.yml | 4 +++- .../audit_rules_execution_chcon/rule.yml | 3 ++- .../audit_rules_execution_semanage/rule.yml | 5 +++-- .../audit_rules_execution_setfiles/rule.yml | 5 +++-- .../audit_rules_execution_setsebool/rule.yml | 5 +++-- .../audit_rules_file_deletion_events_rename/rule.yml | 5 +++-- .../audit_rules_file_deletion_events_renameat/rule.yml | 5 +++-- .../audit_rules_file_deletion_events_rmdir/rule.yml | 5 +++-- .../audit_rules_file_deletion_events_unlink/rule.yml | 5 +++-- .../audit_rules_file_deletion_events_unlinkat/rule.yml | 5 +++-- .../rule.yml | 3 ++- .../rule.yml | 3 ++- .../rule.yml | 3 ++- .../rule.yml | 3 ++- .../rule.yml | 3 ++- .../rule.yml | 5 +++-- .../audit_rules_kernel_module_loading_delete/rule.yml | 3 ++- .../audit_rules_kernel_module_loading_finit/rule.yml | 3 ++- .../audit_rules_kernel_module_loading_init/rule.yml | 3 ++- .../audit_rules_login_events_lastlog/rule.yml | 4 ++-- .../audit_rules_privileged_commands_chage/rule.yml | 5 +++-- .../audit_rules_privileged_commands_chsh/rule.yml | 5 +++-- .../audit_rules_privileged_commands_crontab/rule.yml | 5 +++-- .../audit_rules_privileged_commands_gpasswd/rule.yml | 5 +++-- .../audit_rules_privileged_commands_kmod/rule.yml | 4 +++- .../audit_rules_privileged_commands_mount/rule.yml | 1 + .../audit_rules_privileged_commands_newgrp/rule.yml | 5 +++-- .../rule.yml | 5 +++-- .../audit_rules_privileged_commands_passwd/rule.yml | 5 +++-- .../audit_rules_privileged_commands_postdrop/rule.yml | 5 +++-- .../audit_rules_privileged_commands_postqueue/rule.yml | 5 +++-- .../audit_rules_privileged_commands_ssh_agent/rule.yml | 6 ++++-- .../audit_rules_privileged_commands_ssh_keysign/rule.yml | 5 +++-- .../audit_rules_privileged_commands_su/rule.yml | 5 +++-- .../audit_rules_privileged_commands_sudo/rule.yml | 5 +++-- .../audit_rules_privileged_commands_umount/rule.yml | 1 + .../audit_rules_privileged_commands_unix_chkpwd/rule.yml | 3 ++- .../audit_rules_privileged_commands_userhelper/rule.yml | 5 +++-- .../audit_rules_privileged_commands_usermod/rule.yml | 4 +++- .../auditd_configure_rules/audit_rules_immutable/rule.yml | 2 ++ .../audit_rules_media_export/rule.yml | 5 +++-- .../audit_rules_sysadmin_actions/rule.yml | 2 +- .../audit_rules_usergroup_modification_group/rule.yml | 4 ++-- .../audit_rules_usergroup_modification_gshadow/rule.yml | 4 ++-- .../audit_rules_usergroup_modification_opasswd/rule.yml | 4 ++-- .../audit_rules_usergroup_modification_passwd/rule.yml | 4 ++-- .../audit_rules_usergroup_modification_shadow/rule.yml | 4 ++-- .../guide/system/auditing/grub2_audit_argument/rule.yml | 2 +- .../policy_rules/audit_immutable_login_uids/rule.yml | 3 ++- products/rhel8/profiles/stig.profile | 2 +- shared/references/cce-redhat-avail.txt | 5 ----- 65 files changed, 153 insertions(+), 97 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index 4cb9bb5cf4..bc3e47523f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 stigid@ol7: OL07-00-030410 stigid@rhel7: RHEL-07-030410 + stigid@rhel8: RHEL-08-030490 stigid@sle12: SLES-12-020460 stigid@sle15: SLES-15-030290 stigid@ubuntu2004: UBTU-20-010152 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index cbac49dd12..6b3236cf95 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@ol7: OL07-00-030370 stigid@rhel7: RHEL-07-030370 + stigid@rhel8: RHEL-08-030480 stigid@sle12: SLES-12-020420 stigid@sle15: SLES-15-030250 stigid@ubuntu2004: UBTU-20-010148 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index 81f2f067ba..ed4d88cb0c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 stigid@ol7: OL07-00-030420 stigid@rhel7: RHEL-07-030420 + stigid@rhel8: RHEL-08-030540 stigid@sle12: SLES-12-020470 stigid@sle15: SLES-15-030300 stigid@ubuntu2004: UBTU-20-010153 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index 7fcf1c7ef1..2db3878939 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 stigid@ol7: OL07-00-030430 stigid@rhel7: RHEL-07-030430 + stigid@rhel8: RHEL-08-030530 stigid@sle12: SLES-12-020480 stigid@sle15: SLES-12-030310 stigid@ubuntu2004: UBTU-20-010154 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index d696862377..37dfb89ef2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -55,9 +55,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@ol7: OL07-00-030380 stigid@rhel7: RHEL-07-030380 + stigid@rhel8: RHEL-08-030520 stigid@sle12: SLES-12-020430 stigid@sle15: SLES-15-030260 stigid@ubuntu2004: UBTU-20-010149 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index 0213d78fbc..f75ac769d8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@ol7: OL07-00-030400 stigid@rhel7: RHEL-07-030400 + stigid@rhel8: RHEL-08-030510 stigid@sle12: SLES-12-020450 stigid@sle15: SLES-15-030280 stigid@ubuntu2004: UBTU-20-010150 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index e1a2492c4c..d46968da8f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -69,9 +69,10 @@ references: nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 stigid@ol7: OL07-00-030480 stigid@rhel7: RHEL-07-030480 + stigid@rhel8: RHEL-08-030240 stigid@sle12: SLES-12-020410 stigid@sle15: SLES-15-030210 stigid@ubuntu2004: UBTU-20-010147 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 4c27cbf7fb..564daccaed 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -64,9 +64,10 @@ references: nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 stigid@ol7: OL07-00-030450 stigid@rhel7: RHEL-07-030450 + stigid@rhel8: RHEL-08-030230 stigid@sle12: SLES-12-020380 stigid@sle15: SLES-15-030230 stigid@ubuntu2004: UBTU-20-010144 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 6e2432f309..edc053bfb3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -52,9 +52,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@ol7: OL07-00-030390 stigid@rhel7: RHEL-07-030390 + stigid@rhel8: RHEL-08-030500 stigid@sle12: SLES-12-020440 stigid@sle15: SLES-15-030270 stigid@ubuntu2004: UBTU-20-010151 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index ad034bc570..2ae0f11c58 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -69,9 +69,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 stigid@ol7: OL07-00-030490 stigid@rhel7: RHEL-07-030490 + stigid@rhel8: RHEL-08-030200 stigid@sle12: SLES-12-020400 stigid@sle15: SLES-15-030200 stigid@ubuntu2004: UBTU-20-010146 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index a3895bd4c7..945ad560d7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -63,9 +63,10 @@ references: nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 stigid@ol7: OL07-00-030460 stigid@rhel7: RHEL-07-030460 + stigid@rhel8: RHEL-08-030220 stigid@sle15: SLES-15-030240 stigid@ubuntu2004: UBTU-20-010143 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index eee86b99de..e6d7374b7f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -17,7 +17,7 @@ description: |- If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
{{%- if product in ["rhel8"] %}} -
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the auditd daemon is configured to use the auditctl @@ -68,9 +68,10 @@ references: nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 stigid@ol7: OL07-00-030470 stigid@rhel7: RHEL-07-030470 + stigid@rhel8: RHEL-08-030210 stigid@sle12: SLES-12-020390 stigid@sle15: SLES-15-030190 stigid@ubuntu2004: UBTU-20-010145 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 4a90ed9f96..ab15167508 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -64,9 +64,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203 stigid@ol7: OL07-00-030440 stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030270 stigid@sle12: SLES-12-020370 stigid@sle15: SLES-15-030220 stigid@ubuntu2004: UBTU-20-010142 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 28125b692b..0c71e4ac24 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -27,13 +27,15 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89446-9 cce@sle12: CCE-83190-9 cce@sle15: CCE-85595-7 references: disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + stigid@rhel8: RHEL-08-030570 stigid@sle12: SLES-12-020620 stigid@sle15: SLES-15-030440 stigid@ubuntu2004: UBTU-20-010168 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index 43fe86106c..89c134a0fa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -27,13 +27,15 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88437-9 cce@sle12: CCE-83189-1 cce@sle15: CCE-85594-0 references: disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@rhel8: RHEL-08-030330 stigid@sle12: SLES-12-020610 stigid@sle15: SLES-15-030430 stigid@ubuntu2004: UBTU-20-010167 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index b50e27b810..0c6781c7d5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -60,9 +60,10 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii)AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@ol7: OL07-00-030580 stigid@rhel7: RHEL-07-030580 + stigid@rhel8: RHEL-08-030260 stigid@sle12: SLES-12-020630 stigid@sle15: SLES-15-030450 stigid@ubuntu2004: UBTU-20-010165 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml index 2ad3b555b5..b609c3dfc2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml @@ -40,7 +40,7 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -49,9 +49,10 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@ol7: OL07-00-030560 stigid@rhel7: RHEL-07-030560 + stigid@rhel8: RHEL-08-030313 vmmsrg: SRG-OS-000463-VMM-001850 ocil: |- diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml index eb8bd19edb..9de7407f4c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml @@ -37,11 +37,12 @@ identifiers: cce@rhel9: CCE-83736-9 references: - disa: CCI-000172,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-002884 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) - srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@ol7: OL07-00-030590 stigid@rhel7: RHEL-07-030590 + stigid@rhel8: RHEL-08-030314 vmmsrg: SRG-OS-000463-VMM-001850 ocil: |- diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml index 5544175f39..23504bab4a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml @@ -40,7 +40,7 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -48,9 +48,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@ol7: OL07-00-030570 stigid@rhel7: RHEL-07-030570 + stigid@rhel8: RHEL-08-030316 vmmsrg: SRG-OS-000463-VMM-001850 ocil: |- diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml index fe72f59697..9dd83f6dba 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml @@ -37,7 +37,7 @@ references: cis@ubuntu2004: 4.1.13 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-000366,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -46,9 +46,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 stigid@ol7: OL07-00-030880 stigid@rhel7: RHEL-07-030880 + stigid@rhel8: RHEL-08-030361 stigid@ubuntu2004: UBTU-20-010269 vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml index 3508352514..cd9aa9f5e6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml @@ -37,7 +37,7 @@ references: cis@ubuntu2004: 4.1.13 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-000366,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -46,9 +46,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 stigid@ol7: OL07-00-030890 stigid@rhel7: RHEL-07-030890 + stigid@rhel8: RHEL-08-030362 stigid@ubuntu2004: UBTU-20-010270 vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml index 994cf0e087..6e0bb755b0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml @@ -36,7 +36,7 @@ references: cis@rhel8: 4.1.14 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-000366,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -45,9 +45,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 stigid@ol7: OL07-00-030900 stigid@rhel7: RHEL-07-030900 + stigid@rhel8: RHEL-08-030363 vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml index 330221f9c6..be4e328b7c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml @@ -37,7 +37,7 @@ references: cis@ubuntu2004: 4.1.13 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-000366,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -46,9 +46,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 stigid@ol7: OL07-00-030910 stigid@rhel7: RHEL-07-030910 + stigid@rhel8: RHEL-08-030364 stigid@ubuntu2004: UBTU-20-010267 vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml index 14ef50bb2b..eaf8f1e08b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml @@ -37,7 +37,7 @@ references: cis@ubuntu2004: 4.1.13 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-000366,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -46,9 +46,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 stigid@ol7: OL07-00-030920 stigid@rhel7: RHEL-07-030920 + stigid@rhel8: RHEL-08-030365 stigid@ubuntu2004: UBTU-20-010268 vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index d793c73d87..08cc99133a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -57,9 +57,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030500 stigid@rhel7: RHEL-07-030500 + stigid@rhel8: RHEL-08-030470 stigid@sle12: SLES-12-020520 stigid@sle15: SLES-15-030160 stigid@ubuntu2004: UBTU-20-010158 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index e8990ac8c0..e9b688b9b4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -60,9 +60,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030550 stigid@rhel7: RHEL-07-030550 + stigid@rhel8: RHEL-08-030460 stigid@sle12: SLES-12-020510 stigid@sle15: SLES-15-030320 stigid@ubuntu2004: UBTU-20-010157 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 8324307284..6e24227007 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -60,9 +60,10 @@ references: nist@sle15: AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030510 stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030440 stigid@sle12: SLES-12-020490 stigid@sle15: SLES-15-030150 stigid@ubuntu2004: UBTU-20-010155 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index f83c285dd2..2b6008fce1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -56,9 +56,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030530 stigid@rhel7: RHEL-07-030530 + stigid@rhel8: RHEL-08-030450 stigid@sle12: SLES-12-020540 stigid@sle15: SLES-15-030180 stigid@ubuntu2004: UBTU-20-010160 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 15311727d6..308e3da789 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -60,9 +60,10 @@ references: nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030520 stigid@rhel7: RHEL-07-030520 + stigid@rhel8: RHEL-08-030430 stigid@sle12: SLES-12-020530 stigid@sle15: SLES-15-030170 stigid@ubuntu2004: UBTU-20-010159 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 5d8e55087d..6ab8d28917 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -50,7 +50,7 @@ references: cis@ubuntu2004: 4.1.10 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000172,CCI-002884 + disa: CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -59,9 +59,10 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 stigid@ol7: OL07-00-030540 stigid@rhel7: RHEL-07-030540 + stigid@rhel8: RHEL-08-030420 stigid@sle12: SLES-12-020500 stigid@sle15: SLES-15-030610 stigid@ubuntu2004: UBTU-20-010156 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index 48d0b501a3..052d21b4f0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -48,9 +48,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@ol7: OL07-00-030830 stigid@rhel7: RHEL-07-030830 + stigid@rhel8: RHEL-08-030390 stigid@sle12: SLES-12-020730 stigid@sle15: SLES-15-030520 stigid@ubuntu2004: UBTU-20-010302 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 1457d423bf..aa17002321 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -47,9 +47,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@ol7: OL07-00-030821 stigid@rhel7: RHEL-07-030821 + stigid@rhel8: RHEL-08-030380 stigid@sle12: SLES-12-020740 stigid@sle15: SLES-15-030530 stigid@ubuntu2004: UBTU-20-010180 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 53b9accfd8..1d8260432e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -47,9 +47,10 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@ol7: OL07-00-030820 stigid@rhel7: RHEL-07-030820 + stigid@rhel8: RHEL-08-030360 stigid@sle12: SLES-12-020750 stigid@sle15: SLES-15-030540 stigid@ubuntu2004: UBTU-20-010179 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index f981f0143c..25f578b1f6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -39,7 +39,7 @@ references: cis@ubuntu2004: 4.1.7 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000126,CCI-000172,CCI-002884 + disa: CCI-000126,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -48,7 +48,7 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.3 - srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214 stigid@ol7: OL07-00-030620 stigid@rhel7: RHEL-07-030620 stigid@rhel8: RHEL-08-030600 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index 426f1debed..474910c4c8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -43,7 +43,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -51,9 +51,10 @@ references: nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3 nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030660 stigid@rhel7: RHEL-07-030660 + stigid@rhel8: RHEL-08-030250 stigid@sle12: SLES-12-020690 stigid@sle15: SLES-15-030120 stigid@ubuntu2004: UBTU-20-010175 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index a31dd7eddb..3ca968a543 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -43,7 +43,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -51,9 +51,10 @@ references: nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3 nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030720 stigid@rhel7: RHEL-07-030720 + stigid@rhel8: RHEL-08-030410 stigid@sle12: SLES-12-020580 stigid@sle15: SLES-15-030100 stigid@ubuntu2004: UBTU-20-010163 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index 6146418c75..7c5058c7f8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -43,16 +43,17 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030800 stigid@rhel7: RHEL-07-030800 + stigid@rhel8: RHEL-08-030400 stigid@sle12: SLES-12-020710 stigid@sle15: SLES-15-030130 stigid@ubuntu2004: UBTU-20-010177 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index a9f782bb64..0c7bf84268 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -43,7 +43,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -52,9 +52,10 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030650 stigid@rhel7: RHEL-07-030650 + stigid@rhel8: RHEL-08-030370 stigid@sle12: SLES-12-020560 stigid@sle15: SLES-15-030080 stigid@ubuntu2004: UBTU-20-010174 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 168d5c51fc..851dd5aa3d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -28,13 +28,15 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89455-0 cce@sle12: CCE-83207-1 cce@sle15: CCE-85591-6 references: disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a) - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + stigid@rhel8: RHEL-08-030580 stigid@sle12: SLES-12-020360 stigid@sle15: SLES-15-030410 stigid@ubuntu2004: UBTU-20-010297 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index 01c7a7ea92..cc423c4146 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -46,6 +46,7 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030740 stigid@rhel7: RHEL-07-030740 + stigid@rhel8: RHEL-08-030300 stigid@sle12: SLES-12-020290 stigid@sle15: SLES-15-030350 stigid@ubuntu2004: UBTU-20-010138 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 53ee78dc10..edbb41f3d8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -43,7 +43,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000169,CCI-000135,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -52,9 +52,10 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030710 stigid@rhel7: RHEL-07-030710 + stigid@rhel8: RHEL-08-030350 stigid@sle12: SLES-12-020570 stigid@sle15: SLES-15-030090 stigid@ubuntu2004: UBTU-20-010164 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index 5753e20e9e..f5a3a4be02 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -50,16 +50,17 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030810 stigid@rhel7: RHEL-07-030810 + stigid@rhel8: RHEL-08-030340 stigid@sle12: SLES-12-020720 stigid@sle15: SLES-15-030510 stigid@ubuntu2004: UBTU-20-010178 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 6792cad002..06b5cfc4ae 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -42,7 +42,7 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -51,9 +51,10 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030630 stigid@rhel7: RHEL-07-030630 + stigid@rhel8: RHEL-08-030280 stigid@sle12: SLES-12-020550 stigid@sle15: SLES-15-030070 stigid@ubuntu2004: UBTU-20-010172 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml index 4080c66b8d..8f90c9c211 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml @@ -41,16 +41,17 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030760 stigid@rhel7: RHEL-07-030760 + stigid@rhel8: RHEL-08-030311 vmmsrg: SRG-OS-000471-VMM-001910 ocil_clause: 'it is not the case' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml index 96308029f9..e913e83a0b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml @@ -41,16 +41,17 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030770 stigid@rhel7: RHEL-07-030770 + stigid@rhel8: RHEL-08-030312 vmmsrg: SRG-OS-000471-VMM-001910 ocil_clause: 'it is not the case' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml index b9f68d0712..f2ebca4550 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml @@ -28,14 +28,16 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-85944-7 cce@sle12: CCE-83199-0 cce@sle15: CCE-85590-8 references: cis@ubuntu2004: 4.1.11 - disa: CCI-000130,CCI-000172 + disa: CCI-000130,CCI-000169,CCI-000172 nist@sle12: AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@rhel8: RHEL-08-030280 stigid@sle12: SLES-12-020310 stigid@sle15: SLES-15-030370 stigid@ubuntu2004: UBTU-20-010140 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 8a042f7def..1bec9be61b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -47,7 +47,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -55,9 +55,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030780 stigid@rhel7: RHEL-07-030780 + stigid@rhel8: RHEL-08-030320 stigid@sle12: SLES-12-020320 stigid@sle15: SLES-15-030060 stigid@ubuntu2004: UBTU-20-010141 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index fce851d8e4..99e09ab4e3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -43,7 +43,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -51,9 +51,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 stigid@ol7: OL07-00-030680 stigid@rhel7: RHEL-07-030680 + stigid@rhel8: RHEL-08-030190 stigid@sle12: SLES-12-020250 stigid@sle15: SLES-15-030550 stigid@ubuntu2004: UBTU-20-010136 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 50f72b7d89..aac859c4b1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -44,7 +44,7 @@ references: cis@ubuntu2004: 4.1.11 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -52,9 +52,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 stigid@ol7: OL07-00-030690 stigid@rhel7: RHEL-07-030690 + stigid@rhel8: RHEL-08-030550 stigid@sle12: SLES-12-020260 stigid@sle15: SLES-15-030560 stigid@ubuntu2004: UBTU-20-010161 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index 28fda0e782..061b5c28a7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -54,6 +54,7 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030750 stigid@rhel7: RHEL-07-030750 + stigid@rhel8: RHEL-08-030301 stigid@sle12: SLES-12-020300 stigid@sle15: SLES-15-030360 stigid@ubuntu2004: UBTU-20-010139 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index f78b1972be..41a6123f5b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -52,9 +52,10 @@ references: nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030640 stigid@rhel7: RHEL-07-030640 + stigid@rhel8: RHEL-08-030317 stigid@sle12: SLES-12-020680 stigid@sle15: SLES-15-030110 vmmsrg: SRG-OS-000471-VMM-001910 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml index 13bddb000a..de8bab633a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml @@ -40,7 +40,7 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-000172,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' @@ -48,9 +48,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030670 stigid@rhel7: RHEL-07-030670 + stigid@rhel8: RHEL-08-030315 vmmsrg: SRG-OS-000471-VMM-001910 ocil_clause: 'it is not the case' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index b4c8a8f2cb..288d3c3bf2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -39,13 +39,15 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86027-0 cce@sle12: CCE-83191-7 cce@sle15: CCE-85600-5 references: disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) - srg: SRG-OS-000037-GPOS-00015 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + stigid@rhel8: RHEL-08-030560 stigid@sle12: SLES-12-020700 stigid@sle15: SLES-15-030500 stigid@ubuntu2004: UBTU-20-010176 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml index 6aab91b6d5..6818e5c7b8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml @@ -39,6 +39,7 @@ references: cjis: 5.4.1.1 cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.3.1,3.4.3 + disa: CCI-000162 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' @@ -46,4 +47,5 @@ references: nist: AC-6(9),CM-6(a) nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 pcidss: Req-10.5.2 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 stigid@rhel8: RHEL-08-030121 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index 7dd945ae83..298aec87f3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -38,7 +38,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000135,CCI-002884 + disa: CCI-000135,CCI-000169,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -46,9 +46,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 pcidss: Req-10.2.7 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030740 stigid@rhel7: RHEL-07-030740 + stigid@rhel8: RHEL-08-030302 stigid@sle12: SLES-12-020290 ocil_clause: 'there is no output' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index 52c7bd2aef..12bca676d8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -47,7 +47,7 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.2,Req-10.2.5.b - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 stigid@ol7: OL07-00-030700 stigid@rhel7: RHEL-07-030700 stigid@rhel8: RHEL-08-030172 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index a91d14e967..11c8f823c3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -43,7 +43,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -53,7 +53,7 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.5 - srg: SRG-OS-000004-GPOS-00004 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 stigid@ol7: OL07-00-030871 stigid@rhel7: RHEL-07-030871 stigid@rhel8: RHEL-08-030170 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 90b98863c1..8ccf265de6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -43,7 +43,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -53,7 +53,7 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.5 - srg: SRG-OS-000004-GPOS-00004 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 stigid@ol7: OL07-00-030872 stigid@rhel7: RHEL-07-030872 stigid@rhel8: RHEL-08-030160 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index 05e12170e4..b8e99f216a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -43,7 +43,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -54,7 +54,7 @@ references: nist@sle15: AC-2(4).1(i&ii),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.5 - srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000463-GPOS-00207,SRG-OS-000476-GPOS-00221 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207 stigid@ol7: OL07-00-030874 stigid@rhel7: RHEL-07-030874 stigid@rhel8: RHEL-08-030140 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 88ef5606a7..aae128fee9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -43,7 +43,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -53,7 +53,7 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.5 - srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107 stigid@ol7: OL07-00-030870 stigid@rhel7: RHEL-07-030870 stigid@rhel8: RHEL-08-030150 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 6d084343c9..d6cede0d34 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -43,7 +43,7 @@ references: cjis: 5.4.1.1 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -53,7 +53,7 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 ospp: FAU_GEN.1.1.c pcidss: Req-10.2.5 - srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 stigid@ol7: OL07-00-030873 stigid@rhel7: RHEL-07-030873 stigid@rhel8: RHEL-08-030130 diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index f1b2bb78fb..733172861a 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -46,7 +46,7 @@ references: nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1) nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 pcidss: Req-10.3 - srg: SRG-OS-000254-GPOS-00095,SRG-OS-000062-GPOS-00031 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095 stigid@rhel8: RHEL-08-030601 stigid@ubuntu2004: UBTU-20-010198 vmmsrg: SRG-OS-000254-VMM-000880 diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml index aa22da90c3..261dc1849e 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml @@ -35,9 +35,10 @@ identifiers: cce@rhel9: CCE-83673-4 references: + disa: CCI-000162 nist: AU-2(a) ospp: FAU_GEN.1.1.c - srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 + srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 stigid@rhel8: RHEL-08-030122 ocil_clause: 'the file does not exist or the content differs' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 3cbb4796ac..469c7dff5e 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -846,7 +846,7 @@ selections: # RHEL-08-030590 # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be - # implemented as it is the one that configures a different patch for the events of failing locks + # implemented as it is the one that configures a different path for the events of failing locks # - audit_rules_login_events_faillock # RHEL-08-030600 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 1d54e8ec15..dcb1e675bd 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -74,7 +74,6 @@ CCE-85940-5 CCE-85941-3 CCE-85942-1 CCE-85943-9 -CCE-85944-7 CCE-85945-4 CCE-85946-2 CCE-85947-0 @@ -154,7 +153,6 @@ CCE-86023-9 CCE-86024-7 CCE-86025-4 CCE-86026-2 -CCE-86027-0 CCE-86028-8 CCE-86029-6 CCE-86030-4 @@ -2522,7 +2520,6 @@ CCE-88433-8 CCE-88434-6 CCE-88435-3 CCE-88436-1 -CCE-88437-9 CCE-88438-7 CCE-88439-5 CCE-88440-3 @@ -3515,7 +3512,6 @@ CCE-89442-8 CCE-89443-6 CCE-89444-4 CCE-89445-1 -CCE-89446-9 CCE-89447-7 CCE-89448-5 CCE-89449-3 @@ -3524,7 +3520,6 @@ CCE-89451-9 CCE-89452-7 CCE-89453-5 CCE-89454-3 -CCE-89455-0 CCE-89456-8 CCE-89457-6 CCE-89458-4 From 1e6b51ceb3e8fb9e6406b5f0ba925120e19e719d Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 3 Aug 2021 11:44:57 +0200 Subject: [PATCH 12/21] Define template data using product qualifiers instead of macros. --- .../audit_rules_privileged_commands_ssh_keysign/rule.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 1bec9be61b..5c39013572 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -75,4 +75,6 @@ ocil: |- template: name: audit_rules_privileged_commands vars: - path: {{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign{{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} + path: /usr/libexec/openssh/ssh-keysign + path@sle12: /usr/lib/ssh/ssh-keysign + path@sle15: /usr/lib/ssh/ssh-keysign From f8478dea74e99affff3f3b7b62d91ac509d71a8c Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 3 Aug 2021 12:01:18 +0200 Subject: [PATCH 13/21] Add new STIG audit rule audit_rules_privileged_commands_unix_update. --- .../rule.yml | 53 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ products/rhel8/profiles/stig.profile | 2 +- shared/references/cce-redhat-avail.txt | 2 - 4 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml new file mode 100644 index 0000000000..7ef800da19 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml @@ -0,0 +1,53 @@ +documentation_complete: true + +prodtype: rhel8,rhel9 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_update' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhel8: CCE-89480-8 + cce@rhel9: CCE-89481-6 + +references: + disa: CCI-000169 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@rhel8: RHEL-08-030310 + +ocil_clause: 'it is not the case' + +ocil: |- + To verify that auditing of privileged command use is configured, run the + following command: +
$ sudo grep unix_update /etc/audit/audit.rules /etc/audit/rules.d/*
+ It should return a relevant line in the audit rules. + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/sbin/unix_update diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml new file mode 100644 index 0000000000..fd9b313e87 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 469c7dff5e..2cece6a130 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -725,7 +725,7 @@ selections: - audit_rules_media_export # RHEL-08-030310 - # missing rule + - audit_rules_privileged_commands_unix_update # RHEL-08-030311 - audit_rules_privileged_commands_postdrop diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index dcb1e675bd..ac98344c73 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3544,8 +3544,6 @@ CCE-89476-6 CCE-89477-4 CCE-89478-2 CCE-89479-0 -CCE-89480-8 -CCE-89481-6 CCE-89482-4 CCE-89483-2 CCE-89484-0 From 1216eda0621bedfd60f189bbfd60e79f3b6f5411 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 3 Aug 2021 12:30:11 +0200 Subject: [PATCH 14/21] Add two new rules to cover STIG req based on existing rule. The rule used as basis is audit_rules_sysadmin_actions. This rules is used by many profiles and it didn't make sense to change its behavior, so two new rules were created to be used only by RHEL8 STIG. --- .../audit_rules_sudoers/ansible/shared.yml | 39 +++++++++++++++++++ .../audit_rules_sudoers/bash/shared.sh | 8 ++++ .../audit_rules_sudoers/oval/shared.xml | 34 ++++++++++++++++ .../audit_rules_sudoers/rule.yml | 39 +++++++++++++++++++ .../audit_rules_sudoers/tests/correct.pass.sh | 3 ++ .../audit_rules_sudoers/tests/empty.fail.sh | 4 ++ .../tests/wrong_value.fail.sh | 4 ++ .../audit_rules_sudoers_d/ansible/shared.yml | 39 +++++++++++++++++++ .../audit_rules_sudoers_d/bash/shared.sh | 8 ++++ .../audit_rules_sudoers_d/oval/shared.xml | 34 ++++++++++++++++ .../audit_rules_sudoers_d/rule.yml | 39 +++++++++++++++++++ .../tests/correct.pass.sh | 3 ++ .../audit_rules_sudoers_d/tests/empty.fail.sh | 4 ++ .../tests/missing_slash.fail.sh | 4 ++ products/rhel8/profiles/stig.profile | 5 +-- shared/references/cce-redhat-avail.txt | 4 -- 16 files changed, 264 insertions(+), 7 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml new file mode 100644 index 0000000000..12324a9f76 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml @@ -0,0 +1,39 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +# Inserts/replaces the rule in /etc/audit/rules.d + +- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: '^.*/etc/sudoers\s.*$' + patterns: "*.rules" + register: find_audit_sysadmin_actions + +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules + when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" + when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 + +- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d + lineinfile: + path: "{{ all_sysadmin_actions_files[0] }}" + line: '-w /etc/sudoers -p wa -k actions' + create: yes + +- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '-w /etc/sudoers -p wa -k actions' + create: yes diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh new file mode 100644 index 0000000000..a1392449b0 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_all + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" +fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml new file mode 100644 index 0000000000..96d1a91c1e --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml @@ -0,0 +1,34 @@ + + + {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.") }}} + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml new file mode 100644 index 0000000000..f39bfa7e72 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: rhel8,rhel9 + +title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' + +description: |- + At a minimum, the audit system should collect administrator actions + for all users and root. If the auditd daemon is configured to use the + augenrules program to read audit rules during daemon startup (the default), + add the following line to a file with suffix .rules in the directory + /etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ +rationale: |- + The actions taken by system administrators should be audited to keep a record + of what was executed on the system, as well as, for accountability purposes. + +severity: medium + +identifiers: + cce@rhel8: CCE-90175-1 + cce@rhel9: CCE-90176-9 + +references: + disa: CCI-000169 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@rhel8: RHEL-08-030171 + +ocil_clause: 'there is not output' + +ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
$ sudo auditctl -l | grep "watch=/etc/sudoers\|-w /etc/sudoers\"
+ diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh new file mode 100644 index 0000000000..27ff10cb23 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash +mkdir -p /etc/audit/rules.d/ +echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh new file mode 100644 index 0000000000..2776dabaa1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +rm -rf /etc/audit/rules.d/ +mkdir -p /etc/audit/rules.d/ +touch /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..3d30475363 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +mkdir -p /etc/audit/rules.d/ +echo "-w /etc/sudo -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml new file mode 100644 index 0000000000..89e028ac2d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml @@ -0,0 +1,39 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +# Inserts/replaces the rule in /etc/audit/rules.d + +- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: '^.*/etc/sudoers\.d/\s.*$' + patterns: "*.rules" + register: find_audit_sysadmin_actions + +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules + when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" + when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 + +- name: Inserts/replaces audit rule for /etc/sudoers.d/ rule in rules.d + lineinfile: + path: "{{ all_sysadmin_actions_files[0] }}" + line: '-w /etc/sudoers.d/ -p wa -k actions' + create: yes + +- name: Inserts/replaces audit rule for /etc/sudoers.d/ in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '-w /etc/sudoers.d/ -p wa -k actions' + create: yes diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh new file mode 100644 index 0000000000..9a6292d21d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_all + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions" +fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml new file mode 100644 index 0000000000..c171851647 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml @@ -0,0 +1,34 @@ + + + {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}} + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml new file mode 100644 index 0000000000..d4a35a7996 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: rhel8,rhel9 + +title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/' + +description: |- + At a minimum, the audit system should collect administrator actions + for all users and root. If the auditd daemon is configured to use the + augenrules program to read audit rules during daemon startup (the default), + add the following line to a file with suffix .rules in the directory + /etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
+ +rationale: |- + The actions taken by system administrators should be audited to keep a record + of what was executed on the system, as well as, for accountability purposes. + +severity: medium + +identifiers: + cce@rhel8: CCE-89497-2 + cce@rhel9: CCE-89498-0 + +references: + disa: CCI-000169 + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@rhel8: RHEL-08-030172 + +ocil_clause: 'there is not output' + +ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
$ sudo auditctl -l | grep "watch=/etc/sudoers.d\|-w /etc/sudoers.d"
+ diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh new file mode 100644 index 0000000000..a1259a6e66 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash +mkdir -p /etc/audit/rules.d/ +echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh new file mode 100644 index 0000000000..2776dabaa1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +rm -rf /etc/audit/rules.d/ +mkdir -p /etc/audit/rules.d/ +touch /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh new file mode 100644 index 0000000000..dd96b1ec10 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +mkdir -p /etc/audit/rules.d/ +echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 2cece6a130..965068a691 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -673,11 +673,10 @@ selections: - audit_rules_usergroup_modification_group # RHEL-08-030171 - # should be split - # - audit_rules_sysadmin_actions + - audit_rules_sudoers # RHEL-08-030172 - - audit_rules_sysadmin_actions + - audit_rules_sudoers_d # RHEL-08-030180 - package_audit_installed diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ac98344c73..001262c6ee 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3559,8 +3559,6 @@ CCE-89493-1 CCE-89494-9 CCE-89495-6 CCE-89496-4 -CCE-89497-2 -CCE-89498-0 CCE-89499-8 CCE-89500-3 CCE-89501-1 @@ -4228,8 +4226,6 @@ CCE-90170-2 CCE-90172-8 CCE-90173-6 CCE-90174-4 -CCE-90175-1 -CCE-90176-9 CCE-90177-7 CCE-90178-5 CCE-90179-3 From 2db69d93f8616c9d39897a44994ccdfc30fafb65 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 3 Aug 2021 16:15:14 +0200 Subject: [PATCH 15/21] Update RHEL8 STIG profiles stability test data. --- .../data/profile_stability/rhel8/stig.profile | 64 +++++++++++++++++++ .../profile_stability/rhel8/stig_gui.profile | 64 +++++++++++++++++++ 2 files changed, 128 insertions(+) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index fcae79f6d8..d7e2f71376 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -66,7 +66,71 @@ selections: - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes +- audit_immutable_login_uids +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_semanage +- audit_rules_execution_setfacl +- audit_rules_execution_setfiles +- audit_rules_execution_setsebool +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_rmdir +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_delete +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_login_events_lastlog +- audit_rules_media_export +- audit_rules_privileged_commands_chage +- audit_rules_privileged_commands_chsh +- audit_rules_privileged_commands_crontab +- audit_rules_privileged_commands_gpasswd +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_mount +- audit_rules_privileged_commands_newgrp +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_privileged_commands_passwd +- audit_rules_privileged_commands_postdrop +- audit_rules_privileged_commands_postqueue +- audit_rules_privileged_commands_ssh_agent +- audit_rules_privileged_commands_ssh_keysign +- audit_rules_privileged_commands_su +- audit_rules_privileged_commands_sudo +- audit_rules_privileged_commands_umount +- audit_rules_privileged_commands_unix_chkpwd +- audit_rules_privileged_commands_unix_update +- audit_rules_privileged_commands_userhelper +- audit_rules_privileged_commands_usermod +- audit_rules_sudoers +- audit_rules_sudoers_d - audit_rules_suid_privilege_function +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group +- audit_rules_usergroup_modification_gshadow +- audit_rules_usergroup_modification_opasswd +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow - auditd_audispd_configure_sufficiently_large_partition - auditd_data_disk_error_action - auditd_data_disk_full_action diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 2bbd1881f5..7c95e31545 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -77,7 +77,71 @@ selections: - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes +- audit_immutable_login_uids +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_semanage +- audit_rules_execution_setfacl +- audit_rules_execution_setfiles +- audit_rules_execution_setsebool +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_rmdir +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_delete +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_login_events_lastlog +- audit_rules_media_export +- audit_rules_privileged_commands_chage +- audit_rules_privileged_commands_chsh +- audit_rules_privileged_commands_crontab +- audit_rules_privileged_commands_gpasswd +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_mount +- audit_rules_privileged_commands_newgrp +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_privileged_commands_passwd +- audit_rules_privileged_commands_postdrop +- audit_rules_privileged_commands_postqueue +- audit_rules_privileged_commands_ssh_agent +- audit_rules_privileged_commands_ssh_keysign +- audit_rules_privileged_commands_su +- audit_rules_privileged_commands_sudo +- audit_rules_privileged_commands_umount +- audit_rules_privileged_commands_unix_chkpwd +- audit_rules_privileged_commands_unix_update +- audit_rules_privileged_commands_userhelper +- audit_rules_privileged_commands_usermod +- audit_rules_sudoers +- audit_rules_sudoers_d - audit_rules_suid_privilege_function +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group +- audit_rules_usergroup_modification_gshadow +- audit_rules_usergroup_modification_opasswd +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow - auditd_audispd_configure_sufficiently_large_partition - auditd_data_disk_error_action - auditd_data_disk_full_action From 67d07b479750430ce78aa6f5b9326901ec4bc532 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 4 Aug 2021 14:32:46 +0200 Subject: [PATCH 16/21] Fix RHEL8 STIG id of audit_rules_privileged_commands_passwd. --- .../audit_rules_privileged_commands_passwd/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 06b5cfc4ae..60660a1314 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -54,7 +54,7 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@ol7: OL07-00-030630 stigid@rhel7: RHEL-07-030630 - stigid@rhel8: RHEL-08-030280 + stigid@rhel8: RHEL-08-030290 stigid@sle12: SLES-12-020550 stigid@sle15: SLES-15-030070 stigid@ubuntu2004: UBTU-20-010172 From 9e11cb68aa68ec7d8dde7a9f5d9298bd3c74f9cb Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 4 Aug 2021 15:49:08 +0200 Subject: [PATCH 17/21] Update audit rules description with regards to -F perm=x parameter. --- .../audit_rules_execution_chacl/rule.yml | 6 ++--- .../audit_rules_execution_setfacl/rule.yml | 6 ++--- .../audit_rules_execution_chcon/rule.yml | 22 ++++++------------- .../audit_rules_execution_semanage/rule.yml | 10 ++++++--- .../audit_rules_execution_setfiles/rule.yml | 10 ++++++--- .../audit_rules_execution_setsebool/rule.yml | 10 ++++++--- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 15 ++++++++++--- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 17 +++++++++----- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 18 ++++++++++----- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 8 +++++-- .../rule.yml | 13 +---------- .../ansible.template | 2 +- .../bash.template | 2 +- .../oval.template | 2 +- 27 files changed, 157 insertions(+), 88 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 0c71e4ac24..735817e4f0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -42,10 +42,10 @@ references: ocil: |- To verify that execution of the command is being audited, run the following command: - Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. + Configure the operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: - -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged + -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index 89c134a0fa..341790d7dd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -42,10 +42,10 @@ references: ocil: |- To verify that execution of the command is being audited, run the following command: - Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. + Configure the operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: - -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged + -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
$ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/*
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index 0c6781c7d5..4a5f43376a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,19 +14,11 @@ description: |- daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: - {{% if product in ["sle12", "sle15"] %}} -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% else %}} -
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% endif %}} +
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: - {{% if product in ["sle12", "sle15"] %}} -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% else %}} -
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% endif %}} +
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by @@ -73,11 +69,7 @@ ocil: |- To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: - {{% if product in ["sle12", "sle15"] %}} -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% else %}} -
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% endif %}} +
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
template: name: audit_rules_privileged_commands diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml index b609c3dfc2..a945ce16f8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019 @@ -10,11 +14,11 @@ description: |- daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by @@ -59,7 +63,7 @@ ocil: |- To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: -
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
template: name: audit_rules_privileged_commands diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml index 9de7407f4c..6db7d1daca 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 @@ -10,11 +14,11 @@ description: |- daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by @@ -49,7 +53,7 @@ ocil: |- To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: -
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
template: name: audit_rules_privileged_commands diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml index 23504bab4a..c357c48fe6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019 @@ -10,11 +14,11 @@ description: |- daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by @@ -58,7 +62,7 @@ ocil: |- To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: -
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
template: name: audit_rules_privileged_commands diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index 474910c4c8..b5a9e29d2e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index 3ca968a543..8cc2b236a9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index 7c5058c7f8..86633fb606 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 0c7bf84268..ac5bfb2cc5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 851dd5aa3d..b469e42bbb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -1,3 +1,11 @@ +{{%- if product in ["rhel8"] %}} + {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}} +{{%- elif product in ["ubuntu2004"] %}} + {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}} +{{%- else %}} + {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}} +{{%- endif %}} + documentation_complete: true prodtype: rhel8,sle12,sle15,ubuntu2004 @@ -10,11 +18,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-w /usr/bin/kmod -p x -k modules
+
{{{ kmod_audit }}}
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-w /usr/bin/kmod -p x -k modules
+
{{{ kmod_audit }}}
rationale: |- Without generating audit records that are specific to the security and @@ -48,7 +56,7 @@ ocil: |- following command:
# sudo grep kmod /etc/audit/audit.rules
-    -w /usr/bin/kmod -p x -k modules
+ {{{ kmod_audit }}} If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not @@ -60,3 +68,4 @@ template: name: audit_rules_privileged_commands vars: path: /usr/bin/kmod + path@ubuntu2004: /bin/kmod diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index cc423c4146..56bd72b670 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index edbb41f3d8..4c14ea509c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index f5a3a4be02..c34eeb54c4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,8 +1,7 @@ -documentation_complete: true -prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 - -title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} {{% if product in ["sle12", "sle15"] %}} {{% set pam_bin_path = "/sbin/pam_timestamp_check" %}} @@ -10,6 +9,12 @@ title: 'Ensure auditd Collects Information on the Use of Privileged Commands - p {{% set pam_bin_path = "/usr/sbin/pam_timestamp_check" %}} {{% endif %}} +documentation_complete: true + +prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' + description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is @@ -17,12 +22,12 @@ description: |- daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path={{{ pam_bin_path }}}
-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path={{{ pam_bin_path }}}
-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 60660a1314..2af86f5042 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml index 8f90c9c211..9509216e8f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml index e913e83a0b..c5d1a82cc7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 5c39013572..604cbcda85 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -1,3 +1,13 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +{{%- if product in ["sle12", "sle15"] %}} + {{%- set ssh_keysign_path="/usr/lib/ssh/ssh-keysign" %}} +{{%- else %}} + {{%- set ssh_keysign_path="/usr/libexec/openssh/ssh-keysign" %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,15 +20,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} -F auid>={{{ auid }}} 
-    -F auid!=unset -F key=privileged
+
-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index 99e09ab4e3..87a81ee0c4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index aac859c4b1..e989091836 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index 061b5c28a7..5d47508bb9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index 41a6123f5b..5be7f486c6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml index de8bab633a..6dccc80692 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml @@ -1,3 +1,7 @@ +{{%- if product in ["rhel8", "rhel9"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + documentation_complete: true prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 @@ -10,11 +14,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index 288d3c3bf2..7089016151 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -10,19 +10,11 @@ description: |- configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: - {{% if 'ubuntu' in product %}}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% else %}} -
-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: - {{% if 'ubuntu' in product %}}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% else %}} -
-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
- {{% endif %}} rationale: |- Misuse of privileged functions, either intentionally or unintentionally by @@ -63,7 +55,4 @@ ocil: |- template: name: audit_rules_privileged_commands vars: - path: /usr/bin/usermod - path@ubuntu1604: /usr/sbin/usermod - path@ubuntu1804: /usr/sbin/usermod - path@ubuntu2004: /usr/sbin/usermod + path: /usr/sbin/usermod diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index a245de6673..06154e10ce 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,4 +1,4 @@ -{{%- if product in ["rhel8", "sle12", "sle15"] %}} +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 2b3795674f..d03a92061c 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,4 +1,4 @@ -{{%- if product in ["rhel8", "sle12", "sle15"] %}} +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template index 8e3919ca66..c3d396e2ff 100644 --- a/shared/templates/audit_rules_privileged_commands/oval.template +++ b/shared/templates/audit_rules_privileged_commands/oval.template @@ -1,4 +1,4 @@ -{{%- if product in ["rhel8", "sle12", "sle15"] %}} +{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} {{%- endif %}} From fd801e1fd36a0e6724c043de2dbc75567738edfa Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 4 Aug 2021 15:57:08 +0200 Subject: [PATCH 18/21] Update SRG mapping of chronyd_or_ntpd_set_maxpoll. --- .../guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 4827cf1359..854e8e8048 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -90,7 +90,7 @@ references: nist: CM-6(a),AU-8(1)(b) nist-csf: PR.PT-1 nist@sle12: AU-8(1)(a),AU-8(1)(b) - srg: 'SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144' + srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146 stigid@ol7: OL07-00-040500 stigid@rhel7: RHEL-07-040500 stigid@rhel8: RHEL-08-030740 From 4a79ec12860e768e650bb7fd0962334d1c70223a Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 4 Aug 2021 15:58:47 +0200 Subject: [PATCH 19/21] Remove SUSE keyword verbiage from rules. --- .../accounts/accounts-restrictions/account_unique_id/rule.yml | 4 ++-- .../audit_rules_login_events_faillog/rule.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index e55901dbdc..5cfdf48dba 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -32,8 +32,8 @@ ocil_clause: 'a line is returned' ocil: |- Run the following command to check for duplicate account names: - Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command: + Check that the operating system contains no duplicate UIDs for interactive users by running the following command:
# awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
If output is produced, this is a finding. - Configure the SUSE operating system to contain no duplicate UIDs for interactive users. + Configure the operating system to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml index 7a6d748ffe..97d6874e98 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml @@ -39,7 +39,7 @@ ocil_clause: 'there is no output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: - Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur. + Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur. Add or update the following rules in the "/etc/audit/audit.rules" file: -w /var/log/faillog -p wa -k logins The audit daemon must be restarted for the changes to take effect. From 9122c246c124e26e1e059455ff66b9efa6601eeb Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 5 Aug 2021 14:39:13 +0200 Subject: [PATCH 20/21] Enable check_root_user for RHEL9 in audit rules dac. --- .../audit_rules_dac_modification_fremovexattr/rule.yml | 9 +++++---- .../audit_rules_dac_modification_fsetxattr/rule.yml | 9 +++++---- .../audit_rules_dac_modification_lremovexattr/rule.yml | 1 + .../audit_rules_dac_modification_lsetxattr/rule.yml | 9 +++++---- .../audit_rules_dac_modification_removexattr/rule.yml | 9 +++++---- .../audit_rules_dac_modification_setxattr/rule.yml | 9 +++++---- 6 files changed, 26 insertions(+), 20 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index d46968da8f..5bd1b25eaf 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -11,13 +11,13 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

@@ -25,13 +25,13 @@ description: |- utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}} @@ -92,3 +92,4 @@ template: vars: attr: fremovexattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 564daccaed..410dd8a5ef 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} @@ -87,3 +87,4 @@ template: vars: attr: fsetxattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 2ae0f11c58..947c768efd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -92,3 +92,4 @@ template: vars: attr: lremovexattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index 945ad560d7..ed1fd3715d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} @@ -85,3 +85,4 @@ template: vars: attr: lsetxattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index e6d7374b7f..61e69432d1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -10,13 +10,13 @@ description: |- program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

@@ -24,13 +24,13 @@ description: |- utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}} @@ -91,3 +91,4 @@ template: vars: attr: removexattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index ab15167508..12489a74a0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["rhel8"] %}} +{{%- if product in ["rhel8", "rhel9"] %}}
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} @@ -87,3 +87,4 @@ template: vars: attr: setxattr check_root_user@rhel8: "true" + check_root_user@rhel9: "true" From 88e9061888f7fb5824e7e2c52e83edad6b432615 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 5 Aug 2021 15:53:17 +0200 Subject: [PATCH 21/21] Fix check and remediations of auditd_overflow_action. The check was generating a new input to the auditd.conf file and without spaces between the separator (equal sign). This caused auditd failing to start since it's mandatory to have a space between the separator. It also introduces case insensitivity for the check since the paramaters and values are case insensitive. --- .../auditd_overflow_action/ansible/shared.yml | 6 +++--- .../auditd_overflow_action/bash/shared.sh | 5 +++-- .../auditd_overflow_action/oval/shared.xml | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml index 4f88ed361d..166054a95a 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml @@ -3,6 +3,6 @@ {{{ ansible_set_config_file(file="/etc/audit/auditd.conf", parameter="overflow_action", value="syslog", - separator="=", - separator_regex="=", - prefix_regex="^\s*") }}} + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="(?i)^\s*") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh index 539b9b6582..b397c811d1 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh @@ -7,6 +7,7 @@ {{{set_config_file(path="/etc/audit/auditd.conf", parameter="overflow_action", value="syslog", - separator="=", - separator_regex="=", + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", prefix_regex="^\s*")}}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml index fd45280e4e..880d01bf72 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml @@ -1,6 +1,6 @@ {{{ oval_check_config_file( path="/etc/audit/auditd.conf", - prefix_regex="^(?:.*\\n)*\s*", + prefix_regex="^[ \\t]*(?i)", parameter="overflow_action", - value="syslog|single|halt", - separator_regex="\s*=\s*") }}} + value="(?i)(syslog|single|halt)(?-i)", + separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}