From 54a0e7e0c0d00eacf21f68492517db8968d4e0b2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:01:45 +0200 Subject: [PATCH 01/31] Change fix_audit_syscall_rule to group syscalls The function actually separated the syscalls into individual lines. * Improve and extend rule skeleton matching with more explicit rule options for action, arch, auid and other filters. * Make explicit the syscalls that can be grouped through the 'syscall_groupings' parameter. * Make they key to use more explicit, instead of implicit through 'group'. --- .../fix_audit_syscall_rule.sh | 218 ++++++++---------- .../bash.template | 26 ++- .../audit_rules_dac_modification/template.py | 4 + .../bash.template | 13 +- .../template.py | 14 ++ .../audit_rules_path_syscall/bash.template | 13 +- .../audit_rules_path_syscall/template.py | 4 + .../bash.template | 17 +- .../template.py | 4 + .../bash.template | 25 +- .../template.py | 14 ++ 11 files changed, 195 insertions(+), 157 deletions(-) create mode 100644 shared/templates/audit_rules_file_deletion_events/template.py create mode 100644 shared/templates/audit_rules_unsuccessful_file_modification/template.py diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 4e16af2fb71..6bf5ac15436 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -10,40 +10,48 @@ # # for further details. # -# Expects five arguments (each of them is required) in the form of: +# Expects seven arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules -# * audit rules' pattern audit rule skeleton for same syscall -# * syscall group greatest common string this rule shares -# with other rules from the same group -# * architecture architecture this rule is intended for -# * full form of new rule to add expected full form of audit rule as to be -# added into audit.rules file +# * action_arch_filters The action and arch filters of the rule +# For example, "-a always,exit -F arch=b64" +# * other_filters Other filters that may characterize the rule: +# For example, "-F a2&03 -F path=/etc/passwd" +# * auid_filters The auid filters of the rule +# For example, "-F auid>=1000 -F auid!=unset" +# * syscall The syscall to ensure presense among audit rules +# For example, "chown" +# * syscall_groupings Other syscalls that can be grouped with 'syscall' +# as a space separated list. +# For example, "fchown lchown fchownat" +# * key The key to use when appending a new rule # -# Note: The 2-th up to 4-th arguments are used to determine how many existing +# Notes: +# - The 2-nd up to 4-th arguments are used to determine how many existing # audit rules will be inspected for resemblance with the new audit rule -# (5-th argument) the function is going to add. The rule's similarity check -# is performed to optimize audit.rules definition (merge syscalls of the same -# group into one rule) to avoid the "single-syscall-per-audit-rule" performance -# penalty. -# -# Example call: -# -# See e.g. 'audit_rules_file_deletion_events.sh' remediation script -# +# the function is going to add. +# - The function's similarity check uses the 5-th argument to optimize audit +# rules definitions (merge syscalls of the same group into one rule) to avoid +# the "single-syscall-per-audit-rule" performance penalty. +# - The key argument (7-th argument) is not used when the syscall is grouped to an +# existing audit rule. The audit rule will retain the key it already had. + function fix_audit_syscall_rule { # Load function arguments into local variables local tool="$1" -local pattern="$2" -local group="$3" -local arch="$4" -local full_rule="$5" +local action_arch_filters="$2" +local other_filters="$3" +local auid_filters="$4" +local syscall="$5" +local syscall_grouping +read -a syscall_grouping <<< "$6" +local key="$7" # Check sanity of the input -if [ $# -ne "5" ] +if [ $# -ne "7" ] then - echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" + echo "Usage: fix_audit_syscall_rule 'tool' 'action_arch_filters' 'other_filters' 'auid_filters' 'syscall' 'syscall_grouping' 'key'" echo "Aborting." exit 1 fi @@ -74,16 +82,17 @@ then # file to the list of files to be inspected elif [ "$tool" == 'auditctl' ] then + default_file="/etc/audit/audit.rules" files_to_inspect+=('/etc/audit/audit.rules' ) # If audit tool is 'augenrules', then check if the audit rule is defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection elif [ "$tool" == 'augenrules' ] then - # Extract audit $key from audit rule so we can use it later matches=() - key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') - readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) + default_file="/etc/audit/rules.d/${key}.rules" + # As other_filters may include paths, lets use a different delimiter for it + readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules) if [ $? -ne 0 ] then retval=1 @@ -106,115 +115,88 @@ then fi # -# Indicator that we want to append $full_rule into $audit_file by default +# Indicator that we want to append $full_rule into $audit_file or edit a rule in it local append_expected_rule=0 for audit_file in "${files_to_inspect[@]}" do - # Filter existing $audit_file rules' definitions to select those that: - # * follow the rule pattern, and - # * meet the hardware architecture requirement, and - # * are current syscall group specific - readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" "$audit_file") if [ $? -ne 0 ] then retval=1 fi - # Process rules found case-by-case - for rule in "${existing_rules[@]}" + local candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/${action_arch_filters}//" -e "s#${other_filters}##" -e "s/${auid_filters}//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" + if [ $? -ne 0 ] + then + candidate_rules+=("$s_rule") + fi + done + + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" do - # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) - if [ "${rule}" != "${full_rule}" ] + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" + if [ $? -eq 0 ] then - # If so, isolate just '(-S \w)+' substring of that rule - rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+') - # Check if list of '-S syscall' arguments of that rule is subset - # of '-S syscall' list of expected $full_rule - if grep -q -- "$rule_syscalls" <<< "$full_rule" + # We found a rule with the syscall we want + return $retval + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" then - # Rule is covered (i.e. the list of -S syscalls for this rule is - # subset of -S syscalls of $full_rule => existing rule can be deleted - # Thus delete the rule from audit.rules & our array - sed -i -e "\;${rule};d" "$audit_file" - if [ $? -ne 0 ] - then - retval=1 - fi - existing_rules=("${existing_rules[@]//$rule/}") - else - # Rule isn't covered by $full_rule - it besides -S syscall arguments - # for this group contains also -S syscall arguments for other syscall - # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' - # since 'lchown' & 'fchownat' share 'chown' substring - # Therefore: - # * 1) delete the original rule from audit.rules - # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) - # * 2) delete the -S syscall arguments for this syscall group, but - # keep those not belonging to this syscall group - # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' - # * 3) append the modified (filtered) rule again into audit.rules - # if the same rule not already present - # - # 1) Delete the original rule - sed -i -e "\;${rule};d" "$audit_file" - if [ $? -ne 0 ] - then - retval=1 - fi - - # 2) Delete syscalls for this group, but keep those from other groups - # Convert current rule syscall's string into array splitting by '-S' delimiter - IFS_BKP="$IFS" - IFS=$'-S' - read -a rule_syscalls_as_array <<< "$rule_syscalls" - # Reset IFS back to default - IFS="$IFS_BKP" - # Splitting by "-S" can't be replaced by the readarray functionality easily - - # Declare new empty string to hold '-S syscall' arguments from other groups - new_syscalls_for_rule='' - # Walk through existing '-S syscall' arguments - for syscall_arg in "${rule_syscalls_as_array[@]}" - do - # Skip empty $syscall_arg values - if [ "$syscall_arg" == '' ] - then - continue - fi - # If the '-S syscall' doesn't belong to current group add it to the new list - # (together with adding '-S' delimiter back for each of such item found) - if grep -q -v -- "$group" <<< "$syscall_arg" - then - new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" - fi - done - # Replace original '-S syscall' list with the new one for this rule - updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} - # Squeeze repeated whitespace characters in rule definition (if any) into one - updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') - # 3) Append the modified / filtered rule again into audit.rules - # (but only in case it's not present yet to prevent duplicate definitions) - if ! grep -q -- "$updated_rule" "$audit_file" - then - echo "$updated_rule" >> "$audit_file" - fi + local file_to_edit=${audit_file} + local rule_to_edit=${rule} + local rule_syscalls_to_edit=${rule_syscalls} fi - else - # $audit_file already contains the expected rule form for this - # architecture & key => don't insert it second time - append_expected_rule=1 - fi + done done +done + + +# We checked all rules that matched the expected resemblance patter (action, arch & auid) +# At this point we know if we need to either append the $full_rule or group +# the syscall together with an exsiting rule - # We deleted all rules that were subset of the expected one for this arch & key. - # Also isolated rules containing system calls not from this system calls group. - # Now append the expected rule if it's not present in $audit_file yet - if [[ ${append_expected_rule} -eq "0" ]] +# Append the full_rule if it cannot be grouped to any other rule +if [ -z ${rule_to_edit+x} ] +then + # Build full_rule while avoid adding double spaces when other_filters is empty + local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + echo "$full_rule" >> "$default_file" +else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" then - echo "$full_rule" >> "$audit_file" + new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}" + else + new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}" fi -done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + if [ $? -ne 0 ] + then + retval=1 + fi +fi return $retval diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template index d64d264635c..b2de8d355e1 100644 --- a/shared/templates/audit_rules_dac_modification/bash.template +++ b/shared/templates/audit_rules_dac_modification/bash.template @@ -9,25 +9,31 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*" - GROUP="perm_mod" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="{{{ ATTR }}}" + KEY="perm_mod" + SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done {{% if CHECK_ROOT_USER %}} for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" - GROUP="perm_mod" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid=0" + SYSCALL="{{{ ATTR }}}" + KEY="perm_mod" + SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done {{% endif %}} diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py index e12e9c27e56..7dc53e81f7d 100644 --- a/shared/templates/audit_rules_dac_modification/template.py +++ b/shared/templates/audit_rules_dac_modification/template.py @@ -3,5 +3,9 @@ def preprocess(data, lang): data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) + if lang == "bash": + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) return data diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template index 851b0fd43e3..b5b4c46a7cd 100644 --- a/shared/templates/audit_rules_file_deletion_events/bash.template +++ b/shared/templates/audit_rules_file_deletion_events/bash.template @@ -9,10 +9,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}}.*" - GROUP="delete" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="{{{ NAME }}}" + KEY="delete" + SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py new file mode 100644 index 00000000000..7be137c1eb9 --- /dev/null +++ b/shared/templates/audit_rules_file_deletion_events/template.py @@ -0,0 +1,14 @@ +import ssg.utils + + +def _audit_rules_file_deletion_events(data, lang): + if lang == "bash": + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + return data + + +def preprocess(data, lang): + return _audit_rules_file_deletion_events(data, lang) + diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template index 656d168ddd2..676f6c37deb 100644 --- a/shared/templates/audit_rules_path_syscall/bash.template +++ b/shared/templates/audit_rules_path_syscall/bash.template @@ -9,10 +9,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*" - GROUP="modify" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F {{{ POS }}}&03 -F path={{{ PATH }}}" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="{{{ SYSCALL }}}" + KEY="user-modify" + SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py index beb25a6e69d..7e0877a02b9 100644 --- a/shared/templates/audit_rules_path_syscall/template.py +++ b/shared/templates/audit_rules_path_syscall/template.py @@ -7,4 +7,8 @@ def preprocess(data, lang): # remove root slash made into '_' pathid = pathid[1:] data["pathid"] = pathid + elif lang == "bash": + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) return data diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index d03a92061cb..bd9d4d12484 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,16 +1,17 @@ {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} - {{%- set perm_x="-F perm=x " %}} + {{%- set perm_x=" -F perm=x " %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # Include source function library. . /usr/share/scap-security-guide/remediation_functions -PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" -GROUP="privileged" -# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation -ARCH="" -FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" +ACTION_ARCH_FILTERS="-a always,exit" +OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" +AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" +SYSCALL="{{{ ATTR }}}" +KEY="privileged" +SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" +fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py index 444b2aab083..43302a6690a 100644 --- a/shared/templates/audit_rules_privileged_commands/template.py +++ b/shared/templates/audit_rules_privileged_commands/template.py @@ -15,4 +15,8 @@ def preprocess(data, lang): if npath[0] == '_': npath = npath[1:] data["normalized_path"] = npath + elif lang == "bash": + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) return data diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template index daf146f7eb5..4adaa86fd58 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template @@ -7,22 +7,25 @@ # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") +AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" +SYSCALL="{{{ NAME }}}" +KEY="access" +SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES.*" - GROUP="access" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM.*" - GROUP="access" - FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EPERM" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py new file mode 100644 index 00000000000..a4e58609f66 --- /dev/null +++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py @@ -0,0 +1,14 @@ +import ssg.utils + + +def _audit_rules_unsuccessful_file_modification(data, lang): + if lang == "bash": + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + return data + + +def preprocess(data, lang): + return _audit_rules_unsuccessful_file_modification(data, lang) + From 4c682eadba5ec03ed1204ba9d1b190634bd855d8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:32:18 +0200 Subject: [PATCH 02/31] Set syscall grouping for chmod rules --- .../audit_rules_dac_modification_chmod/rule.yml | 4 ++++ .../audit_rules_dac_modification_fchmod/rule.yml | 4 ++++ .../audit_rules_dac_modification_fchmodat/rule.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index bc3e47523f5..07d37b18aa3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -76,3 +76,7 @@ template: name: audit_rules_dac_modification vars: attr: chmod + syscall_grouping: + - chmod + - fchmod + - fchmodat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index ed4d88cb0c6..6c3cc5592ac 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -74,3 +74,7 @@ template: name: audit_rules_dac_modification vars: attr: fchmod + syscall_grouping: + - chmod + - fchmod + - fchmodat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index 2db3878939a..3e51d482a9c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -74,3 +74,7 @@ template: name: audit_rules_dac_modification vars: attr: fchmodat + syscall_grouping: + - chmod + - fchmod + - fchmodat From eaaaa86b8a07082cdc92d967af09e0908ef22905 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:32:52 +0200 Subject: [PATCH 03/31] Set syscall grouping for chown rules --- .../audit_rules_dac_modification_chown/rule.yml | 5 +++++ .../audit_rules_dac_modification_fchown/rule.yml | 5 +++++ .../audit_rules_dac_modification_fchownat/rule.yml | 5 +++++ .../audit_rules_dac_modification_lchown/rule.yml | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index 6b3236cf953..e2d9944a3bb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -74,3 +74,8 @@ template: name: audit_rules_dac_modification vars: attr: chown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index 37dfb89ef29..d89875fcaab 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -77,3 +77,8 @@ template: name: audit_rules_dac_modification vars: attr: fchown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index f75ac769d8d..e6caaeb5c9f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -74,3 +74,8 @@ template: name: audit_rules_dac_modification vars: attr: fchownat + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index edc053bfb30..190509c0c8d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -74,3 +74,8 @@ template: name: audit_rules_dac_modification vars: attr: lchown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown From b1d747cb65e6e869be2b3c99d295cb6f75c98b61 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:33:21 +0200 Subject: [PATCH 04/31] Set syscall groupings for set/remove xattr rules --- .../audit_rules_dac_modification_fremovexattr/rule.yml | 7 +++++++ .../audit_rules_dac_modification_fsetxattr/rule.yml | 7 +++++++ .../audit_rules_dac_modification_lremovexattr/rule.yml | 7 +++++++ .../audit_rules_dac_modification_lsetxattr/rule.yml | 7 +++++++ .../audit_rules_dac_modification_removexattr/rule.yml | 7 +++++++ .../audit_rules_dac_modification_setxattr/rule.yml | 7 +++++++ 6 files changed, 42 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 5bd1b25eafb..b9ad3c7942e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -93,3 +93,10 @@ template: attr: fremovexattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 410dd8a5efa..cedf05f9765 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -88,3 +88,10 @@ template: attr: fsetxattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 947c768efd8..ffdacdf09e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -93,3 +93,10 @@ template: attr: lremovexattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index ed1fd3715d2..3662262f674 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -86,3 +86,10 @@ template: attr: lsetxattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index 61e69432d1a..ac9d3492aad 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -92,3 +92,10 @@ template: attr: removexattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 12489a74a01..b661a1f99ae 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -88,3 +88,10 @@ template: attr: setxattr check_root_user@rhel8: "true" check_root_user@rhel9: "true" + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr From 46a087995ffe3d49644d8e8adcbc9b1747947339 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:34:08 +0200 Subject: [PATCH 05/31] Set syscall groupings for remove and delete rules --- .../audit_rules_file_deletion_events_rename/rule.yml | 6 ++++++ .../audit_rules_file_deletion_events_renameat/rule.yml | 6 ++++++ .../audit_rules_file_deletion_events_rmdir/rule.yml | 6 ++++++ .../audit_rules_file_deletion_events_unlink/rule.yml | 6 ++++++ .../audit_rules_file_deletion_events_unlinkat/rule.yml | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml index 9dd83f6dbae..d6dcb8694ad 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml @@ -59,3 +59,9 @@ template: name: audit_rules_file_deletion_events vars: name: rename + syscall_grouping: + - unlink + - unlinkat + - rename + - renameat + - rmdir diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml index cd9aa9f5e61..5f583992c48 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml @@ -59,3 +59,9 @@ template: name: audit_rules_file_deletion_events vars: name: renameat + syscall_grouping: + - unlink + - unlinkat + - rename + - renameat + - rmdir diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml index 6e0bb755b0d..5368c9dad58 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml @@ -57,3 +57,9 @@ template: name: audit_rules_file_deletion_events vars: name: rmdir + syscall_grouping: + - unlink + - unlinkat + - rename + - renameat + - rmdir diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml index be4e328b7c8..ecdca27b14d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml @@ -59,3 +59,9 @@ template: name: audit_rules_file_deletion_events vars: name: unlink + syscall_grouping: + - unlink + - unlinkat + - rename + - renameat + - rmdir diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml index eaf8f1e08bd..158d24dc708 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml @@ -59,3 +59,9 @@ template: name: audit_rules_file_deletion_events vars: name: unlinkat + syscall_grouping: + - unlink + - unlinkat + - rename + - renameat + - rmdir From 121afe11a8c050b7c07c8a2595da898dc8f7a1b6 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 15:34:44 +0200 Subject: [PATCH 06/31] Set syscall grouping for create, open and truncate rules --- .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ 6 files changed, 42 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 08cc99133a4..5c751cb230e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -79,3 +79,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: creat + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index e9b688b9b4e..76bcea154bf 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -82,3 +82,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: ftruncate + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 6e242270074..7c6764d2a01 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -82,3 +82,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: open + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 2b6008fce1f..9bb5ffe3fcb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -78,3 +78,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: open_by_handle_at + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 308e3da789a..c99656cc744 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -82,3 +82,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: openat + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 6ab8d289176..12771beb7e0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -81,3 +81,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: truncate + syscall_grouping: + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at From 9dd2d39f3b5b6e0ac9f961718d8e3d7e1a02e101 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 4 Aug 2021 17:15:16 +0200 Subject: [PATCH 07/31] Print filenames in sed command The ";F" was not a typo! Hopefully this makes it more explicit the function of '-e "F"'. --- .../bash_remediation_functions/fix_audit_syscall_rule.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 6bf5ac15436..791e64d05c1 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -1,4 +1,3 @@ -# Function to fix syscall audit rule for given system call. It is # based on example audit syscall rule definitions as outlined in # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit # package. It will combine multiple system calls belonging to the same @@ -89,18 +88,14 @@ then # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection elif [ "$tool" == 'augenrules' ] then - matches=() default_file="/etc/audit/rules.d/${key}.rules" # As other_filters may include paths, lets use a different delimiter for it - readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules) + # The "F" script expression tells sed to print the filenames where the expressions matched + readarray -t files_to_inspect < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" -e "F" /etc/audit/rules.d/*.rules) if [ $? -ne 0 ] then retval=1 fi - for match in "${matches[@]}" - do - files_to_inspect+=("${match}") - done # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet if [ ${#files_to_inspect[@]} -eq "0" ] then From 56194cadf92fdfa020f650bf0152cf65270e4631 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 5 Aug 2021 00:35:47 +0200 Subject: [PATCH 08/31] Handle cases where the rule has no syscall When syscall is not set, just don't add the -S parameter. The audit privileged commands use the fix_audit_syscall_rule despite not adding a -S syscall. Same situation happens for directory_access_var_log_audit. --- .../bash/shared.sh | 13 +++-- .../fix_audit_syscall_rule.sh | 51 ++++++++++++------- .../bash.template | 2 +- 3 files changed, 41 insertions(+), 25 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh index 53f2923d687..0c4e8ffdbd3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh @@ -3,9 +3,12 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*" -GROUP="access-audit-trail" -FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail" +ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" +OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r" +AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" +SYSCALL="" +KEY="access-audit-trail" +SYSCALL_GROUPING="" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" +fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 791e64d05c1..69430416da3 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -140,28 +140,37 @@ do fi done - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" - if [ $? -eq 0 ] - then - # We found a rule with the syscall we want - return $retval - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" + if [[ $syscall ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" + if [ $? -eq 0 ] then - local file_to_edit=${audit_file} - local rule_to_edit=${rule} - local rule_syscalls_to_edit=${rule_syscalls} + # We found a rule with the syscall we want + return $retval fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + local file_to_edit=${audit_file} + local rule_to_edit=${rule} + local rule_syscalls_to_edit=${rule_syscalls} + fi + done done - done + else + # If there is any candidate rule, it is compliant. + if [[ $candidate_rules ]] + then + return $retval + fi + fi done @@ -173,7 +182,11 @@ done if [ -z ${rule_to_edit+x} ] then # Build full_rule while avoid adding double spaces when other_filters is empty - local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + if [[ $syscall ]] + then + local syscall_filters="-S $syscall" + fi + local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" echo "$full_rule" >> "$default_file" else # Check if the syscalls are declared as a comma separated list or diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index bd9d4d12484..b5879085a45 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -9,7 +9,7 @@ ACTION_ARCH_FILTERS="-a always,exit" OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" -SYSCALL="{{{ ATTR }}}" +SYSCALL="" KEY="privileged" SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' From aa3b0ea2f194487c3f270e2f4d32768318c06ffa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 5 Aug 2021 15:30:46 +0200 Subject: [PATCH 09/31] Enhance fix_audit_syscall_rule to handle multiple syscalls Some rules deal with single handedly with multiple profiles. These rules expect to use the fix_audit_syscall_rule to add a rule with muliple syscalls at a time. --- .../bash/shared.sh | 14 +++--- .../bash/shared.sh | 26 ++++++----- .../fix_audit_syscall_rule.sh | 44 ++++++++++++++----- 3 files changed, 58 insertions(+), 26 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh index 02020a84773..2b5e6649680 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh @@ -9,11 +9,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>={{{ auid }}} -F auid!=unset -k *" - # Use escaped BRE regex to specify rule group - GROUP="\(rmdir\|unlink\|rename\)" - FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{{ auid }}} -F auid!=unset -k delete" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="rmdir unlink unlinkat rename renameat" + KEY="delete" + SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh index cdde2eabe04..bf931e46430 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh @@ -11,20 +11,26 @@ for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement - PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k *" - # Use escaped BRE regex to specify rule group - GROUP="\(creat\|open\|truncate\)" - FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k access" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=EACCES" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="creat open openat open_by_handle_at truncate ftruncate" + KEY="access" + SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" # Then fix the -EPERM requirement - PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above - FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k access" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=EPERM" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="creat open openat open_by_handle_at truncate ftruncate" + KEY="access" + SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 69430416da3..c8492149ad9 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -42,7 +42,8 @@ local tool="$1" local action_arch_filters="$2" local other_filters="$3" local auid_filters="$4" -local syscall="$5" +local syscall_a +read -a syscall_a <<< "$5" local syscall_grouping read -a syscall_grouping <<< "$6" local key="$7" @@ -140,16 +141,25 @@ do fi done - if [[ $syscall ]] + if [[ ${#syscall_a[@]} -ge 1 ]] then # Check if the syscall we want is present in any of the similar existing rules for rule in "${candidate_rules[@]}" do rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" - if [ $? -eq 0 ] + local all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" + if [ $? -eq 1 ] + then + # A syscall was not found in the candidate rule + all_syscalls_found=1 + fi + done + if [[ $all_syscalls_found -eq 0 ]] then - # We found a rule with the syscall we want + # We found a rule with all the syscall(s) we want return $retval fi @@ -182,21 +192,35 @@ done if [ -z ${rule_to_edit+x} ] then # Build full_rule while avoid adding double spaces when other_filters is empty - if [[ $syscall ]] + if [[ ${syscall_a} ]] then - local syscall_filters="-S $syscall" + local syscall_filters="" + for syscall in "${syscall_a[@]}" + do + syscall_filters+="-S $syscall " + done fi - local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" echo "$full_rule" >> "$default_file" else # Check if the syscalls are declared as a comma separated list or # as multiple -S parameters if grep -q -- "," <<< "${rule_syscalls_to_edit}" then - new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}" + delimiter="," else - new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}" + delimiter=" -S " fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" + if [ $? -eq 1 ] + then + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + fi + done # Group the syscall in the rule sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" From 0b18f68fa86a16f659995736567ed3649bb58ef2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 5 Aug 2021 18:56:13 +0200 Subject: [PATCH 10/31] Enhance fix_audit_syscall_rule to handle rules without auid Enhance the bash function to nicely handle calls without auid filters defined. And updated the remediations of rules calling fix_audit_syscall_rule to the new parameters. --- .../bash/shared.sh | 13 ++++++++----- .../bash/shared.sh | 13 ++++++++----- .../bash/shared.sh | 13 ++++++++----- .../bash/shared.sh | 13 ++++++++----- .../bash/shared.sh | 14 ++++++++------ .../fix_audit_syscall_rule.sh | 8 +++++--- 6 files changed, 45 insertions(+), 29 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh index a89cb10e13d..cee43a0a104 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh @@ -13,10 +13,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - GROUP="modules" - PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module \(-F key=\|-k \).*" - FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -k modules" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="init_module finit_module delete_module" + KEY="modules" + SYSCALL_GROUPING="init_module finit_module delete_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh index 7dabc28d807..7e0e101f754 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh @@ -13,10 +13,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" - GROUP="modules" - FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="delete_module" + KEY="modules" + SYSCALL_GROUPING="delete_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh index 6e8df8c5095..1b2854d9c61 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh @@ -13,10 +13,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" - GROUP="modules" - FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="finit_module" + KEY="modules" + SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh index 437127f4553..3bb7f89d37c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh @@ -13,10 +13,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" - GROUP="modules" - FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="init_module" + KEY="modules" + SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh index 4e4869a83a7..3c5e593dc5e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh @@ -9,13 +9,15 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" - # Use escaped BRE regex to specify rule group - GROUP="set\(host\|domain\)name" - FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="sethostname setdomainname" + KEY="audit_rules_networkconfig_modification" + SYSCALL_GROUPING="sethostname setdomainname" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done # Then perform the remediations for the watch rules diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index c8492149ad9..5cc130a0236 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -194,13 +194,15 @@ then # Build full_rule while avoid adding double spaces when other_filters is empty if [[ ${syscall_a} ]] then - local syscall_filters="" + local syscall_string="" for syscall in "${syscall_a[@]}" do - syscall_filters+="-S $syscall " + syscall_string+=" -S $syscall" done fi - local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + local other_string=$([[ $other_filters ]] && echo " $other_filters") + local auid_string=$([[ $auid_filters ]] && echo " $auid_filters") + local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}" echo "$full_rule" >> "$default_file" else # Check if the syscalls are declared as a comma separated list or From 8c4984428445376dd1ddb03947deda2d73321972 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 5 Aug 2021 18:59:47 +0200 Subject: [PATCH 11/31] Move suid_privileged_function to new fix_audit_sycall_rule The OVAL check was also updated to accept the key as a Field parameter. --- .../bash/shared.sh | 26 ++++++++++++------- .../oval/shared.xml | 16 ++++++------ 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh index 561c8f74a8f..3976979360c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh @@ -9,20 +9,26 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0" - GROUP="privileged" - FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0 -k setuid" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-C uid!=euid -F euid=0" + AUID_FILTERS="" + SYSCALL="execve" + KEY="setuid" + SYSCALL_GROUPING="" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0" - GROUP="privileged" - FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0 -k setgid" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-C gid!=egid -F egid=0" + AUID_FILTERS="" + SYSCALL="execve" + KEY="setgid" + SYSCALL_GROUPING="" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml index 9247d81b89c..5115eb6c8c4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml @@ -30,7 +30,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ 1 @@ -39,7 +39,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ 1 @@ -48,7 +48,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ 1 @@ -57,7 +57,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ 1 @@ -66,7 +66,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ 1 @@ -75,7 +75,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ 1 @@ -84,7 +84,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ 1 @@ -93,7 +93,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ 1 From ed948b76b8ce20179a00622b9e04a4d4cd32850f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 6 Aug 2021 09:45:42 +0200 Subject: [PATCH 12/31] Update remediarions for time syscalls rules Update rules audit_rules_time_clock_settime and bash shared remediation perform_audit_adjtimex_settimeofday_stime_remediation to group their syscalls. --- .../bash/shared.sh | 13 ++++++++----- ..._adjtimex_settimeofday_stime_remediation.sh | 18 +++++++++++------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh index ffddb94df69..0d51b6b9400 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh @@ -9,10 +9,13 @@ for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" - GROUP="clock_settime" - FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F a0=0x0" + AUID_FILTERS="" + SYSCALL="clock_settime" + KEY="time-change" + SYSCALL_GROUPING="" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh index be1425b454c..ca3ccc37513 100644 --- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh @@ -19,24 +19,28 @@ function perform_audit_adjtimex_settimeofday_stime_remediation { for ARCH in "${RULE_ARCHS[@]}" do - PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" # Create expected audit group and audit rule form for particular system call & architecture if [ ${ARCH} = "b32" ] then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) # so append it to the list of time group system calls to be audited - GROUP="\(adjtimex\|settimeofday\|stime\)" - FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" + SYSCALL="adjtimex settimeofday stime" + SYSCALL_GROUPING="adjtimex settimeofday stime" elif [ ${ARCH} = "b64" ] then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) # therefore don't add it to the list of time group system calls to be audited - GROUP="\(adjtimex\|settimeofday\)" - FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" + SYSCALL="adjtimex settimeofday" + SYSCALL_GROUPING="adjtimex settimeofday" fi + OTHER_FILTERS="" + AUID_FILTERS="" + KEY="audit_time_rules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" done } From 8af4ced71baa5794bfa9be2cfcf9a9519066e597 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 11:50:46 +0200 Subject: [PATCH 13/31] Improve audit syscall rule macro to group syscalls The macros now group the syscall rule according to the grouping argument The Ansible macros follow same argument pattern as the Bash remediations (soon to become macros). --- .../ansible/shared.yml | 36 ++- .../ansible/shared.yml | 36 ++- .../ansible/shared.yml | 36 ++- .../ansible/shared.yml | 36 ++- .../ansible/shared.yml | 36 ++- .../audit_rules_time_stime/ansible/shared.yml | 18 +- shared/macros-ansible.jinja | 220 +++++++++--------- 7 files changed, 292 insertions(+), 126 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml index 8421076fbb3..905c14feb82 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml @@ -15,11 +15,39 @@ - name: Perform remediation of Audit rules for kernel module loading for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=audit_syscalls, + key="modules", + syscall_grouping=audit_syscalls, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=audit_syscalls, + key="modules", + syscall_grouping=audit_syscalls, + )|indent(4) }}} - name: Perform remediation of Audit rules for kernel module loading for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=audit_syscalls, + key="modules", + syscall_grouping=audit_syscalls, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=audit_syscalls, + key="modules", + syscall_grouping=audit_syscalls, + )|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml index fa07d5bf944..b5262d795c6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml @@ -13,13 +13,41 @@ - name: Remediate audit rules for network configuration for x86 block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["sethostname", "setdomainname"], + key="audit_rules_networkconfig_modification", + syscall_grouping=["sethostname", "setdomainname"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["sethostname", "setdomainname"], + key="audit_rules_networkconfig_modification", + syscall_grouping=["sethostname", "setdomainname"], + )|indent(4) }}} - name: Remediate audit rules for network configuration for x86_64 block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["sethostname", "setdomainname"], + key="audit_rules_networkconfig_modification", + syscall_grouping=["sethostname", "setdomainname"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["sethostname", "setdomainname"], + key="audit_rules_networkconfig_modification", + syscall_grouping=["sethostname", "setdomainname"], + )|indent(4) }}} when: audit_arch == "b64" # remediate watches diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml index 921b8e34cb2..a5d7cc5e0aa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml @@ -10,11 +10,39 @@ - name: Perform remediation of Audit rules for adjtimex for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["adjtimex"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["adjtimex"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} - name: Perform remediation of Audit rules for adjtimex for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["adjtimex"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["adjtimex"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml index e77850fa251..c07ee41fe03 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml @@ -12,11 +12,39 @@ - name: Perform remediation of Audit rules for clock_settime for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F a0=0x0", + auid_filters="", + syscalls=["clock_settime"], + key="time-change", + syscall_grouping=[], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F a0=0x0", + auid_filters="", + syscalls=["clock_settime"], + key="time-change", + syscall_grouping=[], + )|indent(4) }}} - name: Perform remediation of Audit rules for clock_settime for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F a0=0x0", + auid_filters="", + syscalls=["clock_settime"], + key="time-change", + syscall_grouping=[], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F a0=0x0", + auid_filters="", + syscalls=["clock_settime"], + key="time-change", + syscall_grouping=[], + )|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml index b1a25c2776d..e4be5e2406f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml @@ -10,11 +10,39 @@ - name: Perform remediation of Audit rules for settimeofday for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["settimeofday"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["settimeofday"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} - name: Perform remediation of Audit rules for settimeofday for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["settimeofday"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["settimeofday"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml index b57c71ce21f..96fc5c15655 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml @@ -6,5 +6,19 @@ - name: Perform remediation of Audit rules for stime syscall for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["stime"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["stime"], + key="audit_time_rules", + syscall_grouping=["adjtimex", "settimeofday", "stime"], + )|indent(4) }}} diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 116077b9a52..5e120deee58 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -385,135 +385,147 @@ The macro requires following parameters: {{# The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. The macro requires following parameters: -- arch: an architecture to be used in the Audit rule (b32, b64) -- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. -- key: a key to use as rule identifier. -- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); - Add them in the order you expect them to be in the audit rule. -Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. +- action_arch_filters: The action and arch filters of the rule + For example, "-a always,exit -F arch=b64" +- other_filters: Other filters that may characterize the rule: + For example, "-F a2&03 -F path=/etc/passwd" +- auid_filters: The auid filters of the rule + For example, "-F auid>=1000 -F auid!=unset" +- syscalls: List of syscalls to ensure presense among audit rules + For example, "['fchown', 'lchown', 'fchownat']" +- syscall_groupings: List of other syscalls that can be grouped with 'syscalls' + For example, "['fchown', 'lchown', 'fchownat']" +- key: The key to use when appending a new rule #}} -{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} -- name: Declare list of syscals +{{% macro ansible_audit_augenrules_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} +{{% if other_filters != "" %}} + {{% set other_filters = " " ~ other_filters %}} +{{% endif %}} +{{% if auid_filters != "" %}} + {{% set auid_filters = " " ~ auid_filters %}} +{{% endif %}} +- name: Declare list of syscalls set_fact: syscalls: {{{ syscalls }}} + syscall_grouping: {{{ syscall_grouping }}} -- name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" +- name: Check existence of syscalls for in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' + patterns: '*.rules' + register: find_command + loop: '{{ syscall_grouping }}' -{{# -This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. -See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments -#}} -{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} -{{% for field in fields %}} - {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} - {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} -{{% endfor %}} +- name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" + loop: "{{ find_command.results | selectattr('matched') | list}}" -- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_syscalls_found_{{{ arch }}}_rules_d - loop: "{{ syscalls }}" +- name: Declare files where syscalls where found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" -- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{ audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" +- name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}" + loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" -- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} - find: - paths: "/etc/audit/rules.d" - contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' - patterns: "*.rules" - register: find_syscalls_files +- name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 -- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/{{{ key }}}.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 +- name: No file with syscall found, set path to /etc/audit/rules.d/{{{ key }}}.rules + set_fact: audit_file="/etc/audit/rules.d/{{{ key }}}.rules" + when: found_paths | length == 0 -- name: Use matched file as the recipient for the rule +- name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + +- name: Declare missing syscalls set_fact: - all_files: - - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + missing_syscalls="{{ syscalls | difference(syscalls_found) }}" -- name: "Insert the syscall rule in {{ all_files[0] }}" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add fields and key" - set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" - create: true - state: present - when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls +- name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)' + line: '\1\2\3{{ missing_syscalls | join("\3") }}\4' + backrefs: yes + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + +- name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true + state: present + when: syscalls_found | length == 0 {{%- endmacro %}} {{# The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. The macro requires following parameters: -- arch: an architecture to be used in the Audit rule (b32, b64) -- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. -- key: a key to use as rule identifier. -- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); - Add them in the order you expect them to be in the audit rule. +- action_arch_filters: The action and arch filters of the rule + For example, "-a always,exit -F arch=b64" +- other_filters: Other filters that may characterize the rule: + For example, "-F a2&03 -F path=/etc/passwd" +- auid_filters: The auid filters of the rule + For example, "-F auid>=1000 -F auid!=unset" +- syscalls: List of syscalls to ensure presense among audit rules + For example, "['fchown', 'lchown', 'fchownat']" +- syscall_groupings: List of other syscalls that can be grouped with 'syscalls' + For example, "['fchown', 'lchown', 'fchownat']" +- key: The key to use when appending a new rule #}} -{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} -- name: Declare list of syscals +{{% macro ansible_audit_auditctl_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} +{{% if other_filters!= "" %}} + {{% set other_filters = " " ~ other_filters %}} +{{% endif %}} +{{% if auid_filters!= "" %}} + {{% set auid_filters = " " ~ auid_filters %}} +{{% endif %}} +- name: Declare list of syscalls set_fact: syscalls: {{{ syscalls }}} + syscall_grouping: {{{ syscall_grouping }}} + +- name: Check existence of syscalls for in /etc/audit/rules.d/ + find: + paths: /etc/audit + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' + patterns: 'audit.rules' + register: find_command + loop: '{{ syscall_grouping }}' -- name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" +- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules + set_fact: audit_file="/etc/audit/audit.rules" -{{# -This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. -See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments -#}} -{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} -{{% for field in fields %}} - {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} - {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} -{{% endfor %}} +- name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" -- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules - find: - paths: "/etc/audit" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_syscalls_found_{{{ arch }}}_audit_rules - loop: "{{ syscalls }}" +- name: Declare missing syscalls + set_fact: + missing_syscalls="{{ syscalls | difference(syscalls_found) }}" -- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" +- name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)' + line: '\1\2\3{{ missing_syscalls | join("\3") }}\4' + backrefs: yes + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + +- name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true + state: present + when: syscalls_found | length == 0 +- name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} -- name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add fields and key" - set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" - create: true - state: present - when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls {{%- endmacro %}} {{% macro ansible_sssd_ldap_config(parameter, value) -%}} From a355d5b5578477a4464023dccccdb474ff571768 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 14:35:17 +0200 Subject: [PATCH 14/31] Move template audit_rules_path_syscall to Ansible macro --- .../audit_rules_path_syscall/ansible.template | 100 +++++++----------- .../audit_rules_path_syscall/template.py | 7 ++ 2 files changed, 44 insertions(+), 63 deletions(-) diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template index d519609fa02..20440a36237 100644 --- a/shared/templates/audit_rules_path_syscall/ansible.template +++ b/shared/templates/audit_rules_path_syscall/ansible.template @@ -11,67 +11,41 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# -# Inserts/replaces the rule in /etc/audit/rules.d -# -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*" - patterns: "*.rules" - register: find_{{{ SYSCALL }}} - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modify.rules - when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}" - when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched > 0 - -- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ item }}" - create: yes - regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" - with_items: - - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" - -- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ item }}" - create: yes - regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" - with_items: - - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" - when: audit_arch is defined and audit_arch == 'b64' -# -# Inserts/replaces the rule in /etc/audit/audit.rules -# -- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: "{{ item }}" - state: present - dest: /etc/audit/audit.rules - create: yes - regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" - with_items: - - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" +- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F "~POS~"&03 -F path="~PATH, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="modify", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F "~POS~"&03 -F path="~PATH, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="modify", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} -- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64 - lineinfile: - line: "{{ item }}" - state: present - dest: /etc/audit/audit.rules - create: yes - regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" - with_items: - - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F "~POS~"&03 -F path="~PATH, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="modify", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F "~POS~"&03 -F path="~PATH, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="modify", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + when: audit_arch == "b64" diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py index 7e0877a02b9..c13f34b94e0 100644 --- a/shared/templates/audit_rules_path_syscall/template.py +++ b/shared/templates/audit_rules_path_syscall/template.py @@ -11,4 +11,11 @@ def preprocess(data, lang): if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + elif lang == "ansible": + if "syscall" in data: + # Tranform the syscall into a Ansible list + data["syscall"] = [ data["syscall"] ] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] return data From 27d64329d2d9d3cdac03f0a46866f99c299b430d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 16:37:12 +0200 Subject: [PATCH 15/31] Move template audit_rules_dac_modification to Ansible macro Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping. --- .../ansible.template | 152 ++++++++---------- .../audit_rules_dac_modification/template.py | 7 + 2 files changed, 76 insertions(+), 83 deletions(-) diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index d048978456d..d2ce6c50052 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -11,91 +11,77 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# -# Inserts/replaces the rule in /etc/audit/rules.d -# -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "-F key=perm_mod$" - patterns: "*.rules" - register: find_{{{ ATTR }}} - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}" - when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched > 0 - -- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" - create: yes - +- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} {{%- if CHECK_ROOT_USER %}} -- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" - create: yes + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid=0", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid=0", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} {{%- endif %}} -- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" - create: yes - when: audit_arch is defined and audit_arch == 'b64' - -{{%- if CHECK_ROOT_USER %}} -- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" - create: yes - when: audit_arch is defined and audit_arch == 'b64' -{{%- endif %}} -# -# Inserts/replaces the rule in /etc/audit/audit.rules -# -- name: Inserts/replaces the {{{ ATTR }}} rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" - state: present - dest: /etc/audit/audit.rules - create: yes - -{{%- if CHECK_ROOT_USER %}} -- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86 - lineinfile: - line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" - state: present - dest: /etc/audit/audit.rules - create: yes -{{%- endif %}} - -- name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64 - lineinfile: - line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" - state: present - dest: /etc/audit/audit.rules - create: yes - when: audit_arch is defined and audit_arch == 'b64' - +- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} {{%- if CHECK_ROOT_USER %}} -- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64 - lineinfile: - line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" - state: present - dest: /etc/audit/audit.rules - create: yes - when: audit_arch is defined and audit_arch == 'b64' + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid=0", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid=0", + syscalls=ATTR, + key="perm_mod", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} {{%- endif %}} + when: audit_arch == "b64" diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py index 7dc53e81f7d..eebd0b6f4ee 100644 --- a/shared/templates/audit_rules_dac_modification/template.py +++ b/shared/templates/audit_rules_dac_modification/template.py @@ -7,5 +7,12 @@ def preprocess(data, lang): if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + elif lang == "ansible": + if "attr" in data: + # Tranform the syscall into a Ansible list + data["attr"] = [ data["attr"] ] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] return data From cd507f507d3fb756c49e4ca19d47f17d951e1a9f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 16:59:48 +0200 Subject: [PATCH 16/31] Move template audit_rules_unsuccessfull_file_modification to Ansible macro Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping. --- .../ansible.template | 102 +++++++----------- .../template.py | 8 ++ 2 files changed, 47 insertions(+), 63 deletions(-) diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template index 8e8e003a5b0..cb5decc6a6e 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template @@ -11,67 +11,43 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# -# Inserts/replaces the rule in /etc/audit/rules.d -# -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "-F key=perm_mod$" - patterns: "*.rules" - register: find_{{{ NAME }}} - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ item }}" - create: yes - with_items: - - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" - - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ item }}" - create: yes - with_items: - - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" - - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" - when: audit_arch is defined and audit_arch == 'b64' -# -# Inserts/replaces the rule in /etc/audit/audit.rules -# -- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: "{{ item }}" - state: present - dest: /etc/audit/audit.rules - create: yes - with_items: - - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" - - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" +{{% for EXIT_CODE in ["EACCES","EPERM"] %}} +- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F exit=-"~EXIT_CODE, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="access", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="-F exit=-"~EXIT_CODE, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="access", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} -- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64 - lineinfile: - line: "{{ item }}" - state: present - dest: /etc/audit/audit.rules - create: yes - with_items: - - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" - - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F exit=-"~EXIT_CODE, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="access", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="-F exit=-"~EXIT_CODE, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="access", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + when: audit_arch == "b64" +{{% endfor %}} diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py index a4e58609f66..62abfad9a2c 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py +++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py @@ -6,6 +6,14 @@ def _audit_rules_unsuccessful_file_modification(data, lang): if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + elif lang == "ansible": + if "name" in data: + # Tranform the syscall into a Ansible list + # The syscall is under 'name' + data["name"] = [ data["name"] ] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] return data From 52dcdb4be6c1b450bfb074684b4657a40963e752 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 17:34:26 +0200 Subject: [PATCH 17/31] Add syscall_groups to unsuccessful_file_mofication rules The groupings were based on the rule description. --- .../rule.yml | 7 +++++++ .../rule.yml | 5 +++++ .../rule.yml | 7 +++++++ .../rule.yml | 7 +++++++ .../rule.yml | 5 +++++ .../rule.yml | 5 +++++ .../rule.yml | 7 +++++++ .../rule.yml | 5 +++++ .../rule.yml | 7 +++++++ .../rule.yml | 5 +++++ .../rule.yml | 5 +++++ .../rule.yml | 6 ++++++ .../rule.yml | 7 +++++++ .../rule.yml | 5 +++++ .../rule.yml | 5 +++++ 15 files changed, 88 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml index 7cf5855bcae..ddfe1e9d6c3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: chmod + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml index 090463bd402..6ca6e27b24d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml @@ -51,3 +51,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: chown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml index fc2b945ef9b..1a93b4537e0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: fchmod + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml index e4da28ec070..dd77cd60639 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: fchmodat + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml index 69a9ddf72b1..3e5da890340 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml @@ -51,3 +51,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: fchown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml index 7da6b8a4d73..76f0e177b67 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml @@ -51,3 +51,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: fchownat + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml index eaa9f32081f..bf1ff86737c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: fsetxattr + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml index 84c71963545..3d42cea2ac1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml @@ -55,3 +55,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: lchown + syscall_grouping: + - chown + - fchown + - fchownat + - lchown diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml index 1de114c65d5..e388ec2d69e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: lsetxattr + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index 0aac53c1d2f..ae390fc9904 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -64,3 +64,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: rename + syscall_grouping: + - rename + - renameat + - unlink + - unlinkat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index 81bb79b5589..ab5d3b8d7b3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -64,3 +64,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: renameat + syscall_grouping: + - rename + - renameat + - unlink + - unlinkat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml index 57dc243760d..f0c7e1a9ca9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml @@ -49,3 +49,9 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: renameat2 + syscall_grouping: + - rename + - renameat + - renameat2 + - unlink + - unlinkat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml index a406dba0e8d..a45d0cdac86 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml @@ -51,3 +51,10 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: setxattr + syscall_grouping: + - chmod + - fchmod + - fchmodat + - fsetxattr + - lsetxattr + - setxattr diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index 55f4582ba74..c78957bab21 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -66,3 +66,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: unlink + syscall_grouping: + - rename + - renameat + - unlink + - unlinkat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 0a672366fe8..8fa62518cb5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -66,3 +66,8 @@ template: name: audit_rules_unsuccessful_file_modification vars: name: unlinkat + syscall_grouping: + - rename + - renameat + - unlink + - unlinkat From bc7152399c205b25c9a471deffc0497d26896cd7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 17:45:45 +0200 Subject: [PATCH 18/31] Move template audit_rules_privileged_commands to Ansible macro Update the macros to handle better empty syscalls parameter. Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping. --- shared/macros-ansible.jinja | 14 ++++- .../ansible.template | 56 +++++++------------ .../template.py | 4 ++ 3 files changed, 35 insertions(+), 39 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 5e120deee58..a067742b1f4 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -404,6 +404,11 @@ The macro requires following parameters: {{% if auid_filters != "" %}} {{% set auid_filters = " " ~ auid_filters %}} {{% endif %}} +{{% if syscalls == [] %}} + {{% set syscall_flag = "" %}} +{{% else %}} + {{% set syscall_flag = " -S " %}} +{{% endif %}} - name: Declare list of syscalls set_fact: syscalls: {{{ syscalls }}} @@ -455,7 +460,7 @@ The macro requires following parameters: - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" create: true state: present when: syscalls_found | length == 0 @@ -483,6 +488,11 @@ The macro requires following parameters: {{% if auid_filters!= "" %}} {{% set auid_filters = " " ~ auid_filters %}} {{% endif %}} +{{% if syscalls == [] %}} + {{% set syscall_flag = "" %}} +{{% else %}} + {{% set syscall_flag = " -S " %}} +{{% endif %}} - name: Declare list of syscalls set_fact: syscalls: {{{ syscalls }}} @@ -518,7 +528,7 @@ The macro requires following parameters: - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" create: true state: present when: syscalls_found | length == 0 diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index 06154e10ceb..b1788b59b8a 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,5 +1,5 @@ {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} - {{%- set perm_x="-F perm=x " %}} + {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false @@ -7,39 +7,21 @@ # complexity = low # disruption = low -# Inserts/replaces the rule in /etc/audit/rules.d - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "^.*path={{{ PATH }}}.*$" - patterns: "*.rules" - register: find_{{{ NAME }}} - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 - - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d - lineinfile: - path: "{{ all_files[0] }}" - line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' - create: yes - -# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules - -- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' - create: yes +- name: Perform remediattion of Audit rules for {{{ PATH }}} + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit", + other_filters="-F path="~PATH~perm_x, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="privileged", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit", + other_filters="-F path="~PATH~perm_x, + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=SYSCALL, + key="privileged", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py index 43302a6690a..0cf6cba79cc 100644 --- a/shared/templates/audit_rules_privileged_commands/template.py +++ b/shared/templates/audit_rules_privileged_commands/template.py @@ -19,4 +19,8 @@ def preprocess(data, lang): if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + elif lang == "ansible": + # This template does not use the 'syscall' parameters + data["syscall"] = [] + data["syscall_grouping"] = [] return data From 93e082296abbaa4f62e1352e4240c72ade510740 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 18:15:50 +0200 Subject: [PATCH 19/31] Move template audit_rules_file_deletion_events to Ansible macro Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping. --- .../ansible.template | 88 ++++++++----------- .../template.py | 8 ++ 2 files changed, 45 insertions(+), 51 deletions(-) diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template index 12d6088ecea..ec732133838 100644 --- a/shared/templates/audit_rules_file_deletion_events/ansible.template +++ b/shared/templates/audit_rules_file_deletion_events/ansible.template @@ -11,55 +11,41 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# -# Inserts/replaces the rule in /etc/audit/rules.d -# -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "-F key=delete$" - patterns: "*.rules" - register: find_{{{ NAME }}} - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/delete.rules - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" - when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" - create: yes - -- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" - create: yes - when: audit_arch is defined and audit_arch == 'b64' -# -# Inserts/replaces the rule in /etc/audit/audit.rules -# -- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" - state: present - dest: /etc/audit/audit.rules - create: yes +- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="delete", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="delete", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} -- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64 - lineinfile: - line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" - state: present - dest: /etc/audit/audit.rules - create: yes - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="delete", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=NAME, + key="delete", + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + when: audit_arch == "b64" diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py index 7be137c1eb9..1141a99826b 100644 --- a/shared/templates/audit_rules_file_deletion_events/template.py +++ b/shared/templates/audit_rules_file_deletion_events/template.py @@ -6,6 +6,14 @@ def _audit_rules_file_deletion_events(data, lang): if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + elif lang == "ansible": + if "name" in data: + # Tranform the syscall into a Ansible list + # The syscall is under 'name' + data["name"] = [ data["name"] ] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] return data From 5db4692a9efd86713e79c6fb72f87bf4898338e9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 19:16:54 +0200 Subject: [PATCH 20/31] Update Ansible audit_rules_kernel_module_loading_* to use macros Update remediation of following rules to use Ansible macro syscall rule - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_finit - audit_rules_kernel_module_loading_init --- .../ansible/shared.yml | 89 ++++++++----------- .../ansible/shared.yml | 89 ++++++++----------- .../ansible/shared.yml | 88 ++++++++---------- 3 files changed, 114 insertions(+), 152 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml index 60f477ac355..863ba6f0134 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml @@ -10,54 +10,41 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# Inserts/replaces the rule in /etc/audit/rules.d - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*delete_module.*$ - patterns: '*.rules' - register: find_delete_module - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_delete_module.matched is defined and find_delete_module.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' - when: find_delete_module.matched is defined and find_delete_module.matched > 0 - -- name: Inserts/replaces the delete_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b32 -S delete_module -k module-change' - state: present - create: true - -- name: Inserts/replaces the delete_module rule in rules.d on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b64 -S delete_module -k module-change' - state: present - create: true - when: audit_arch is defined and audit_arch == 'b64' - -# Inserts/replaces the delete_modules rule in /etc/audit/audit.rules - -- name: Inserts/replaces the delete_module rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b32 -S delete_module -k module-change' - create: true - -- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b64 -S delete_module -k module-change' - create: true - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for delete_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["delete_module"], + key="module-change", + syscall_grouping=[], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["delete_module"], + key="module-change", + syscall_grouping=[], + )|indent(4) }}} + +- name: Perform remediattion of Audit rules for delete_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["delete_module"], + key="module-change", + syscall_grouping=[], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["delete_module"], + key="module-change", + syscall_grouping=[], + )|indent(4) }}} + when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 3f3c3e3d947..268f0a57f11 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -10,54 +10,41 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# Inserts/replaces the rule in /etc/audit/rules.d - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*finit_module.*$ - patterns: '*.rules' - register: find_finit_module - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_finit_module.matched is defined and find_finit_module.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' - when: find_finit_module.matched is defined and find_finit_module.matched > 0 - -- name: Inserts/replaces the finit_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b32 -S finit_module -k module-change' - state: present - create: true - -- name: Inserts/replaces the finit_module rule in rules.d on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b64 -S finit_module -k module-change' - state: present - create: true - when: audit_arch is defined and audit_arch == 'b64' - -# Inserts/replaces the finit_modules rule in /etc/audit/audit.rules - -- name: Inserts/replaces the finit_module rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b32 -S finit_module -k module-change' - create: true - -- name: Inserts/replaces the finit_module rule in audit.rules when on x86_64 - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b64 -S finit_module -k module-change' - create: true - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for finit_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["finit_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["finit_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + +- name: Perform remediattion of Audit rules for finit_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["finit_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["finit_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index 3f58125065b..2155a1835c6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -10,53 +10,41 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -# Inserts/replaces the rule in /etc/audit/rules.d - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*init_module.*$ - patterns: '*.rules' - register: find_init_module - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_init_module.matched is defined and find_init_module.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' - when: find_init_module.matched is defined and find_init_module.matched > 0 - -- name: Inserts/replaces the init_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b32 -S init_module -k module-change' - state: present - create: true - -- name: Inserts/replaces the init_module rule in rules.d on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '-a always,exit -F arch=b64 -S init_module -k module-change' - state: present - create: true - when: audit_arch is defined and audit_arch == 'b64' - -# Inserts/replaces the init_modules rule in /etc/audit/audit.rules - -- name: Inserts/replaces the init_module rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b32 -S init_module -k module-change' - create: true -- name: Inserts/replaces the init_module rule in audit.rules when on x86_64 - lineinfile: - path: /etc/audit/audit.rules - line: '-a always,exit -F arch=b64 -S init_module -k module-change' - create: true - when: audit_arch is defined and audit_arch == 'b64' +- name: Perform remediattion of Audit rules for init_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["init_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", + other_filters="", + auid_filters="", + syscalls=["init_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + +- name: Perform remediattion of Audit rules for init_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["init_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + other_filters="", + auid_filters="", + syscalls=["init_module"], + key="module-change", + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + when: audit_arch == "b64" From 98843a14147ea7db9d6ef96580ed4b8e9c15f67f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 19:31:15 +0200 Subject: [PATCH 21/31] Update directory_access_var_log_audit to use Ansible macro Also fix a bug in Bash remediation, there should be no arch. --- .../ansible/shared.yml | 51 +++++++------------ .../bash/shared.sh | 2 +- 2 files changed, 19 insertions(+), 34 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml index 31b65a0833c..bc6e929372f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml @@ -3,36 +3,21 @@ # strategy = restrict # complexity = low # disruption = low -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*dir=/var/log/audit/.*$ - patterns: '*.rules' - register: find_var_log_audit - -- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access-audit-trail.rules - when: find_var_log_audit.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}' - when: find_var_log_audit.matched > 0 - -- name: Inserts/replaces the /var/log/audit/ rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset - -F key=access-audit-trail - create: true - -- name: Inserts/replaces the /var/log/audit/ rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset - -F key=access-audit-trail - create: true +- name: Perform remediattion of Audit rules for /var/log/audit + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit", + other_filters="-F dir=/var/log/audit/ -F perm=r", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=[], + key="access-audit-trail", + syscall_grouping=[], + )|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule( + action_arch_filters="-a always,exit", + other_filters="-F dir=/var/log/audit/ -F perm=r", + auid_filters="-F auid>="~auid~" -F auid!=unset", + syscalls=[], + key="access-audit-trail", + syscall_grouping=[], + )|indent(4) }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh index 0c4e8ffdbd3..a8e4a71a9f8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh @@ -3,7 +3,7 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" +ACTION_ARCH_FILTERS="-a always,exit" OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r" AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" SYSCALL="" From 78664de349a993b36f02c17e25c5042ed075d9a7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Aug 2021 19:38:39 +0200 Subject: [PATCH 22/31] Python style fixes --- shared/templates/audit_rules_dac_modification/template.py | 2 +- shared/templates/audit_rules_file_deletion_events/template.py | 3 +-- shared/templates/audit_rules_path_syscall/template.py | 2 +- .../audit_rules_unsuccessful_file_modification/template.py | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py index eebd0b6f4ee..17187826e62 100644 --- a/shared/templates/audit_rules_dac_modification/template.py +++ b/shared/templates/audit_rules_dac_modification/template.py @@ -10,7 +10,7 @@ def preprocess(data, lang): elif lang == "ansible": if "attr" in data: # Tranform the syscall into a Ansible list - data["attr"] = [ data["attr"] ] + data["attr"] = [data["attr"]] if "syscall_grouping" not in data: # Ensure that syscall_grouping is a list data["syscall_grouping"] = [] diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py index 1141a99826b..4916d892521 100644 --- a/shared/templates/audit_rules_file_deletion_events/template.py +++ b/shared/templates/audit_rules_file_deletion_events/template.py @@ -10,7 +10,7 @@ def _audit_rules_file_deletion_events(data, lang): if "name" in data: # Tranform the syscall into a Ansible list # The syscall is under 'name' - data["name"] = [ data["name"] ] + data["name"] = [data["name"]] if "syscall_grouping" not in data: # Ensure that syscall_grouping is a list data["syscall_grouping"] = [] @@ -19,4 +19,3 @@ def _audit_rules_file_deletion_events(data, lang): def preprocess(data, lang): return _audit_rules_file_deletion_events(data, lang) - diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py index c13f34b94e0..0f2966335b0 100644 --- a/shared/templates/audit_rules_path_syscall/template.py +++ b/shared/templates/audit_rules_path_syscall/template.py @@ -14,7 +14,7 @@ def preprocess(data, lang): elif lang == "ansible": if "syscall" in data: # Tranform the syscall into a Ansible list - data["syscall"] = [ data["syscall"] ] + data["syscall"] = [data["syscall"]] if "syscall_grouping" not in data: # Ensure that syscall_grouping is a list data["syscall_grouping"] = [] diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py index 62abfad9a2c..dd9714457a2 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py +++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py @@ -10,7 +10,7 @@ def _audit_rules_unsuccessful_file_modification(data, lang): if "name" in data: # Tranform the syscall into a Ansible list # The syscall is under 'name' - data["name"] = [ data["name"] ] + data["name"] = [data["name"]] if "syscall_grouping" not in data: # Ensure that syscall_grouping is a list data["syscall_grouping"] = [] @@ -19,4 +19,3 @@ def _audit_rules_unsuccessful_file_modification(data, lang): def preprocess(data, lang): return _audit_rules_unsuccessful_file_modification(data, lang) - From 16df69710c8872bd6d348a60a0542fb2cafb0dc3 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Aug 2021 10:22:32 +0200 Subject: [PATCH 23/31] Fix typo in Ansible remediarion for unsuccessful_file_modification --- .../audit_rules_unsuccessful_file_modification/bash/shared.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh index bf931e46430..5cb4dbe6f4a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh @@ -12,7 +12,7 @@ do # First fix the -EACCES requirement ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=EACCES" + OTHER_FILTERS="-F exit=-EACCES" AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" SYSCALL="creat open openat open_by_handle_at truncate ftruncate" KEY="access" @@ -24,7 +24,7 @@ do # Then fix the -EPERM requirement # No need to change content of $GROUP variable - it's the same as for -EACCES case above ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=EPERM" + OTHER_FILTERS="-F exit=-EPERM" AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" SYSCALL="creat open openat open_by_handle_at truncate ftruncate" KEY="access" From d761a6498f8e3e64810e7b06cbf04837d0ae8975 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Aug 2021 10:23:50 +0200 Subject: [PATCH 24/31] Check all relevant syscalls in Ansible macro The Ansible macros for audit syscall rules should check the target syscall and the groupable syscalls during 'find' task. When 'syscall_grouping' was empty, the remediation would simply execute the 'Add a new rule' task. If the key was different, a new duplicate rule would be added. Also removes extra syscalls declaration task. --- shared/macros-ansible.jinja | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index a067742b1f4..1af5ed3dd95 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -420,7 +420,7 @@ The macro requires following parameters: contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' patterns: '*.rules' register: find_command - loop: '{{ syscall_grouping }}' + loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Declare syscalls found per file set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" @@ -504,7 +504,7 @@ The macro requires following parameters: contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' patterns: 'audit.rules' register: find_command - loop: '{{ syscall_grouping }}' + loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/rules.d/{{{ key }}}.rules set_fact: audit_file="/etc/audit/audit.rules" @@ -532,10 +532,6 @@ The macro requires following parameters: create: true state: present when: syscalls_found | length == 0 -- name: Declare list of syscals - set_fact: - syscalls: {{{ syscalls }}} - {{%- endmacro %}} {{% macro ansible_sssd_ldap_config(parameter, value) -%}} From 2a2697e49809f14c0f1af81940c6198691e9af94 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Aug 2021 10:35:10 +0200 Subject: [PATCH 25/31] Improve task titles of audit macros and templates --- shared/macros-ansible.jinja | 6 +++--- .../templates/audit_rules_dac_modification/ansible.template | 6 +++--- .../audit_rules_file_deletion_events/ansible.template | 6 +++--- shared/templates/audit_rules_path_syscall/ansible.template | 6 +++--- .../ansible.template | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 1af5ed3dd95..b5574da29ac 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -414,7 +414,7 @@ The macro requires following parameters: syscalls: {{{ syscalls }}} syscall_grouping: {{{ syscall_grouping }}} -- name: Check existence of syscalls for in /etc/audit/rules.d/ +- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' @@ -498,7 +498,7 @@ The macro requires following parameters: syscalls: {{{ syscalls }}} syscall_grouping: {{{ syscall_grouping }}} -- name: Check existence of syscalls for in /etc/audit/rules.d/ +- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/audit.rules find: paths: /etc/audit contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' @@ -506,7 +506,7 @@ The macro requires following parameters: register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' -- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules +- name: Set path to /etc/audit/audit.rules set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index d2ce6c50052..ea6fd94ff4b 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -7,11 +7,11 @@ # # What architecture are we on? # -- name: Set architecture for audit {{{ ATTR }}} tasks +- name: Set architecture for audit {{{ ATTR | join(", ") }}} tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform +- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -48,7 +48,7 @@ )|indent(4) }}} {{%- endif %}} -- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform +- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template index ec732133838..0044dc459dc 100644 --- a/shared/templates/audit_rules_file_deletion_events/ansible.template +++ b/shared/templates/audit_rules_file_deletion_events/ansible.template @@ -7,11 +7,11 @@ # # What architecture are we on? # -- name: Set architecture for audit {{{ NAME }}} tasks +- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform +- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -30,7 +30,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform +- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template index 20440a36237..2875aff3573 100644 --- a/shared/templates/audit_rules_path_syscall/ansible.template +++ b/shared/templates/audit_rules_path_syscall/ansible.template @@ -7,11 +7,11 @@ # # What architecture are we on? # -- name: Set architecture for audit {{{ SYSCALL }}} tasks +- name: Set architecture for audit {{{ SYSCALL | join(", ") }}} tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform +- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -30,7 +30,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform +- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template index cb5decc6a6e..a8fdc3978b1 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template @@ -7,12 +7,12 @@ # # What architecture are we on? # -- name: Set architecture for audit {{{ NAME }}} tasks +- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" {{% for EXIT_CODE in ["EACCES","EPERM"] %}} -- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform +- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE}}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -31,7 +31,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform +- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", From 6dd2a0388e025bbbb00bea15c999cc09e140afce Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Aug 2021 13:49:07 +0200 Subject: [PATCH 26/31] Fix typo in audit task block title --- .../ansible/shared.yml | 4 ++-- .../ansible/shared.yml | 4 ++-- .../audit_rules_kernel_module_loading_init/ansible/shared.yml | 4 ++-- .../directory_access_var_log_audit/ansible/shared.yml | 2 +- .../templates/audit_rules_dac_modification/ansible.template | 4 ++-- .../audit_rules_file_deletion_events/ansible.template | 4 ++-- shared/templates/audit_rules_path_syscall/ansible.template | 4 ++-- .../audit_rules_privileged_commands/ansible.template | 2 +- .../ansible.template | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml index 863ba6f0134..f5469c0ebf9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml @@ -10,7 +10,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for delete_module for x86 platform +- name: Perform remediation of Audit rules for delete_module for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -29,7 +29,7 @@ syscall_grouping=[], )|indent(4) }}} -- name: Perform remediattion of Audit rules for delete_module for x86_64 platform +- name: Perform remediation of Audit rules for delete_module for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 268f0a57f11..2e0780af564 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -10,7 +10,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for finit_module for x86 platform +- name: Perform remediation of Audit rules for finit_module for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -29,7 +29,7 @@ syscall_grouping=["init_module","finit_module"], )|indent(4) }}} -- name: Perform remediattion of Audit rules for finit_module for x86_64 platform +- name: Perform remediation of Audit rules for finit_module for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index 2155a1835c6..6f6bd1826bc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -10,7 +10,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for init_module for x86 platform +- name: Perform remediation of Audit rules for init_module for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -29,7 +29,7 @@ syscall_grouping=["init_module","finit_module"], )|indent(4) }}} -- name: Perform remediattion of Audit rules for init_module for x86_64 platform +- name: Perform remediation of Audit rules for init_module for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml index bc6e929372f..ec17adf5525 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- name: Perform remediattion of Audit rules for /var/log/audit +- name: Perform remediation of Audit rules for /var/log/audit block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit", diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index ea6fd94ff4b..2c006b451c4 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -11,7 +11,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform +- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -48,7 +48,7 @@ )|indent(4) }}} {{%- endif %}} -- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform +- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template index 0044dc459dc..3bb07579463 100644 --- a/shared/templates/audit_rules_file_deletion_events/ansible.template +++ b/shared/templates/audit_rules_file_deletion_events/ansible.template @@ -11,7 +11,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform +- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -30,7 +30,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform +- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template index 2875aff3573..fcd2bda3bab 100644 --- a/shared/templates/audit_rules_path_syscall/ansible.template +++ b/shared/templates/audit_rules_path_syscall/ansible.template @@ -11,7 +11,7 @@ set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform +- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -30,7 +30,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform +- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index b1788b59b8a..e9ef084984a 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -7,7 +7,7 @@ # complexity = low # disruption = low -- name: Perform remediattion of Audit rules for {{{ PATH }}} +- name: Perform remediation of Audit rules for {{{ PATH }}} block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit", diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template index a8fdc3978b1..6cf90e11863 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template @@ -31,7 +31,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform +- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", From fe88dfbf2b4c7acd0a196512d2868f19b9b89f33 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Aug 2021 17:21:32 +0200 Subject: [PATCH 27/31] Reset the tracking of syscalls found per file When running a playbook profile, they were accumulating over the entire run. --- shared/macros-ansible.jinja | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index b5574da29ac..b26966238a2 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -422,15 +422,20 @@ The macro requires following parameters: register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' +- name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: "{{ find_command.results | selectattr('matched') | list}}" - name: Declare files where syscalls where found set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}" + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Get path with most syscalls From 34a66912886e979fac132346074e556c36336b0c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 19 Aug 2021 12:32:25 +0200 Subject: [PATCH 28/31] Create audit rules without permissions for others --- shared/bash_remediation_functions/fix_audit_syscall_rule.sh | 1 + shared/macros-ansible.jinja | 2 ++ 2 files changed, 3 insertions(+) diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 5cc130a0236..d95aedba395 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -204,6 +204,7 @@ then local auid_string=$([[ $auid_filters ]] && echo " $auid_filters") local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}" echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} else # Check if the syscalls are declared as a comma separated list or # as multiple -S parameters diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index b26966238a2..6c9c53a07db 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -467,6 +467,7 @@ The macro requires following parameters: path: '{{ audit_file }}' line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" create: true + mode: o-rwx state: present when: syscalls_found | length == 0 {{%- endmacro %}} @@ -535,6 +536,7 @@ The macro requires following parameters: path: '{{ audit_file }}' line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" create: true + mode: o-rwx state: present when: syscalls_found | length == 0 {{%- endmacro %}} From 181a0f9aacbcf7340ce0931907bd7ae1db0cf478 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 19 Aug 2021 14:48:08 +0200 Subject: [PATCH 29/31] Remove trailing space from perm field Otherwise the rule will be added with two spaces between other_filters and auid_filters. --- shared/templates/audit_rules_privileged_commands/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index b5879085a45..5af362df800 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,5 +1,5 @@ {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} - {{%- set perm_x=" -F perm=x " %}} + {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv From c94454fd4409b69e24012b006266637e17982be8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 19 Aug 2021 14:54:57 +0200 Subject: [PATCH 30/31] Fix typos in task titles --- shared/macros-ansible.jinja | 2 +- .../audit_rules_file_deletion_events/ansible.template | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 6c9c53a07db..ed3881d054c 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -431,7 +431,7 @@ The macro requires following parameters: set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: "{{ find_command.results | selectattr('matched') | list}}" -- name: Declare files where syscalls where found +- name: Declare files where syscalls were found set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template index 3bb07579463..f09ce12d87a 100644 --- a/shared/templates/audit_rules_file_deletion_events/ansible.template +++ b/shared/templates/audit_rules_file_deletion_events/ansible.template @@ -7,11 +7,11 @@ # # What architecture are we on? # -- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks +- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform +- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", @@ -30,7 +30,7 @@ syscall_grouping=SYSCALL_GROUPING, )|indent(4) }}} -- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform +- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86_64 platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", From a5e99060b4856298ffc9f2a75a611a2eefb9b4de Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 19 Aug 2021 15:35:25 +0200 Subject: [PATCH 31/31] Fix Ansible linter issue Variables should have spaces before and after --- shared/macros-ansible.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index ed3881d054c..b9536439c50 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -429,7 +429,7 @@ The macro requires following parameters: - name: Declare syscalls found per file set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: "{{ find_command.results | selectattr('matched') | list}}" + loop: "{{ find_command.results | selectattr('matched') | list }}" - name: Declare files where syscalls were found set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}"