From 8455c8556a6d828b15ebc62cf511e484dd626a36 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 16 Jul 2021 13:16:12 -0500 Subject: [PATCH] Add rules for RHEL-08-030610 Added two rules, one for each of the paths mentioned in the STIG. --- .../rule.yml | 35 ++++++++++++++++++ .../tests/correct_permissions.pass.sh | 6 ++++ .../tests/incorrect_permissions.fail.sh | 6 ++++ .../rule.yml | 36 +++++++++++++++++++ .../tests/correct_permissions.pass.sh | 6 ++++ .../tests/incorrect_permissions.fail.sh | 6 ++++ products/rhel8/profiles/stig.profile | 2 ++ shared/references/cce-redhat-avail.txt | 2 -- .../data/profile_stability/rhel8/stig.profile | 2 ++ .../profile_stability/rhel8/stig_gui.profile | 2 ++ 10 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml new file mode 100644 index 0000000000..1cde3ded5f --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Verify Permissions on /etc/audit/auditd.conf' + +description: |- + {{{ describe_file_permissions(file="/etc/audit/auditd.conf", perms="0640") }}} + + +rationale: |- + Without the capability to restrict the roles and individuals that can select which events + are audited, unauthorized personnel may be able to prevent the auditing of critical + events. Misconfigured audits may degrade the system's performance by overwhelming + the audit log. Misconfigured audits may also make it more difficult to establish, + correlate, and investigate the events relating to an incident or identify + those responsible for one. + +severity: medium + +identifiers: + cce@rhel8: CCE-85871-2 + +references: + disa: CCI-000171 + nist: AU-12(b) + srg: SRG-OS-000063-GPOS-00032 + stigid@rhel8: RHEL-08-030610 + +template: + name: file_permissions + vars: + filepath: /etc/audit/auditd.conf + allow_stricter_permissions: "true" + filemode: '0640' diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh new file mode 100644 index 0000000000..8c9b782920 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export TESTFILE=/etc/audit/auditd.conf +mkdir -p /etc/audit/ +touch $TESTFILE +chmod 0640 $TESTFILE diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh new file mode 100644 index 0000000000..a460e0dddd --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export TESTFILLE=/etc/audit/auditd.conf +mkdir -p /etc/audit/ +touch $TESTFILLE +chmod 0644 $TESTFILLE diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml new file mode 100644 index 0000000000..34e1f30367 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Verify Permissions on /etc/audit/rules.d/*.rules' + +description: |- + {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0640") }}} + + +rationale: |- + Without the capability to restrict the roles and individuals that can select which events + are audited, unauthorized personnel may be able to prevent the auditing of critical + events. Misconfigured audits may degrade the system's performance by overwhelming + the audit log. Misconfigured audits may also make it more difficult to establish, + correlate, and investigate the events relating to an incident or identify + those responsible for one. + +severity: medium + +identifiers: + cce@rhel8: CCE-85875-3 + +references: + disa: CCI-000171 + nist: AU-12(b) + srg: SRG-OS-000063-GPOS-00032 + stigid@rhel8: RHEL-08-030610 + +template: + name: file_permissions + vars: + filepath: /etc/audit/rules.d/ + file_regex: ^.*rules$ + allow_stricter_permissions: "true" + filemode: '0640' diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh new file mode 100644 index 0000000000..b0a20248c3 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export TESTFILE=/etc/audit/rules.d/test_rule.rules +mkdir -p /etc/audit/rules.d/ +touch $TESTFILE +chmod 0640 $TESTFILE diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh new file mode 100644 index 0000000000..c7fd3a95e9 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export TESTFILLE=/etc/audit/rules.d/test_rule.rules +mkdir -p /etc/audit/rules.d/ +touch $TESTFILLE +chmod 0644 $TESTFILLE diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 26d0aa9922..5a0a520ee0 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -801,6 +801,8 @@ selections: - configure_usbguard_auditbackend # RHEL-08-030610 + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd # RHEL-08-030620 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ae3375fd4d..24e8149168 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -11,11 +11,9 @@ CCE-85867-0 CCE-85868-8 CCE-85869-6 CCE-85870-4 -CCE-85871-2 CCE-85872-0 CCE-85873-8 CCE-85874-6 -CCE-85875-3 CCE-85876-1 CCE-85877-9 CCE-85878-7 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index a1de1f5561..4be3cf93c2 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -123,6 +123,8 @@ selections: - file_ownership_var_log_audit - file_permission_user_init_files - file_permissions_binary_dirs +- file_permissions_etc_audit_auditd +- file_permissions_etc_audit_rulesd - file_permissions_home_directories - file_permissions_library_dirs - file_permissions_sshd_private_key diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index b7d2be3af3..20b8a54861 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -134,6 +134,8 @@ selections: - file_ownership_var_log_audit - file_permission_user_init_files - file_permissions_binary_dirs +- file_permissions_etc_audit_auditd +- file_permissions_etc_audit_rulesd - file_permissions_home_directories - file_permissions_library_dirs - file_permissions_sshd_private_key