2094 lines
101 KiB
Diff
2094 lines
101 KiB
Diff
From 1f53aae9b711466ce3d8f5d72d544c16024b6f7f Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 13:21:36 +0200
|
|
Subject: [PATCH 01/18] add ppc64le applicability platform
|
|
|
|
---
|
|
shared/applicability/arch.yml | 6 ++++
|
|
...proc_sys_kernel_osrelease_arch_ppc64le.xml | 33 +++++++++++++++++++
|
|
2 files changed, 39 insertions(+)
|
|
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
|
|
|
|
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
|
|
index cb64a037192..1223001846a 100644
|
|
--- a/shared/applicability/arch.yml
|
|
+++ b/shared/applicability/arch.yml
|
|
@@ -28,3 +28,9 @@ cpes:
|
|
bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
|
|
ansible_conditional: 'ansible_architecture == "aarch64"'
|
|
|
|
+ - ppc64le_arch:
|
|
+ name: "cpe:/a:ppc64le_arch"
|
|
+ title: "System architecture is ppc64le"
|
|
+ check_id: proc_sys_kernel_osrelease_arch_ppc64le
|
|
+ bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease'
|
|
+ ansible_conditional: 'ansible_architecture == "ppc64le"'
|
|
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
|
|
new file mode 100644
|
|
index 00000000000..058de0db5e7
|
|
--- /dev/null
|
|
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
|
|
@@ -0,0 +1,33 @@
|
|
+<def-group>
|
|
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_ppc64le"
|
|
+ version="1">
|
|
+ <metadata>
|
|
+ <title>Test that the architecture is ppc64le</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_all</platform>
|
|
+ </affected>
|
|
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</description>
|
|
+ </metadata>
|
|
+ <criteria>
|
|
+ <criterion comment="Architecture is ppc64le"
|
|
+ test_ref="test_proc_sys_kernel_osrelease_arch_ppc64le" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
|
+ comment="proc_sys_kernel is for ppc64le architecture"
|
|
+ id="test_proc_sys_kernel_osrelease_arch_ppc64le"
|
|
+ version="1">
|
|
+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_ppc64le" />
|
|
+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_ppc64le" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
|
|
+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
|
|
+ <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
|
|
+ </ind:textfilecontent54_state>
|
|
+</def-group>
|
|
|
|
From ced2b8699637af0f75786bd07f2944a6febaa531 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 13:46:47 +0200
|
|
Subject: [PATCH 02/18] add audit_access_failed_ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_access_failed/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 ++++++
|
|
.../audit_access_failed_ppc64le/rule.yml | 54 +++++++++++++++++++
|
|
3 files changed, 70 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
index 87fc33ad041..74f92b94762 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
@@ -28,7 +28,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..412c67f15a1
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..f764da506e9
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,54 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful file accesses (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_access_failed =
|
|
+"## Unsuccessful file access (any other opens) This has to go last.
|
|
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to access a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_access_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85953-8
|
|
+ cce@rhel9: CCE-85955-3
|
|
+
|
|
+references:
|
|
+ ism: 0582,0584,05885,0586,0846,0957
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_access_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_access_failed|indent(12) }}}
|
|
|
|
From 6c9b276ce50932934afa4e1af38ee5cd88166580 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 13:56:29 +0200
|
|
Subject: [PATCH 03/18] add audit_access_success ppc64le
|
|
|
|
---
|
|
.../audit_access_success/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 ++++++
|
|
.../audit_access_success_ppc64le/rule.yml | 54 +++++++++++++++++++
|
|
3 files changed, 70 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
index 284ed1756ff..7646d5f9f4b 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
@@ -27,7 +27,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..372b7c27c76
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..b76fe0b4a4e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,54 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful file accesses (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_access_success =
|
|
+"## Successful file access (any other opens) This has to go last.
|
|
+## These next two are likely to result in a whole lot of events
|
|
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to access a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_access_success|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of successful attempts to access a file helps in investigation of activities performed on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85960-3
|
|
+ cce@rhel9: CCE-85961-1
|
|
+
|
|
+references:
|
|
+ ism: 0582,0584,05885,0586,0846,0957
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_access_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_access_success|indent(12) }}}
|
|
|
|
From 7a343648d9e206a1b981f4235daeb9dd3cd475dc Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:01:03 +0200
|
|
Subject: [PATCH 04/18] add audit_create_failed ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_create_failed/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 +++++
|
|
.../audit_create_failed_ppc64le/rule.yml | 57 +++++++++++++++++++
|
|
3 files changed, 73 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
|
index f4da514e080..ac5e1f97413 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
|
@@ -36,7 +36,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..08c8dc85507
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..ead598f8b9a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,57 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful file creations (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_create_failed =
|
|
+"## Unsuccessful file creation (open with O_CREAT)
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
|
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to create a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_create_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85962-9
|
|
+ cce@rhel9: CCE-85965-2
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_create_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_create_failed|indent(12) }}}
|
|
|
|
From c433196a29cfcf5b3dca2f3cde7dc230f43a181e Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:03:38 +0200
|
|
Subject: [PATCH 05/18] add audit_create_success ppc64le
|
|
|
|
---
|
|
.../audit_create_success/rule.yml | 2 +-
|
|
.../audit_create_success_ppc64le/rule.yml | 54 +++++++++++++++++++
|
|
2 files changed, 55 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
|
index 43e8674178b..21e71077030 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
|
@@ -30,7 +30,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
new file mode 100644
|
|
index 00000000000..294947c14ba
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,54 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful file creations (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_create_success =
|
|
+"## Successful file creation (open with O_CREAT)
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
|
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to create a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_create_success |indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85966-0
|
|
+ cce@rhel9: CCE-85968-6
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_create_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_create_success|indent(12) }}}
|
|
|
|
From d8593e7d56ed85f34f228b24526b703eed141071 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:07:50 +0200
|
|
Subject: [PATCH 06/18] add audit_delete_failed ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_delete_failed/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 +++++
|
|
.../audit_delete_failed_ppc64le/rule.yml | 65 +++++++++++++++++++
|
|
3 files changed, 81 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
|
index 07ed41a9c4f..5ac68376970 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
|
@@ -28,7 +28,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..2fb2c25aa30
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..c8c532cb3bb
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,65 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful file deletions (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_delete_failed =
|
|
+"## Unsuccessful file delete
|
|
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to delete a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_delete_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85969-4
|
|
+ cce@rhel9: CCE-85970-2
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_delete_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_delete_failed|indent(12) }}}
|
|
+
|
|
+fixtext: |-
|
|
+ Configure {{{ full_name }}} to audit all unsuccessful attempts to delete a file.
|
|
+
|
|
+ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules" with the exactly following content:
|
|
+
|
|
+ {{{ file_contents_audit_delete_failed|indent(4) }}}
|
|
+
|
|
+ Then, run the following commands:
|
|
+
|
|
+ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
+ $ sudo augenrules --load
|
|
|
|
From 364e30b710df1f58a004edce60cfc6043d0aed3b Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:12:20 +0200
|
|
Subject: [PATCH 07/18] add audit_delete_success ppc64le
|
|
|
|
---
|
|
.../audit_delete_success/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 7 ++
|
|
.../audit_delete_success_ppc64le/rule.yml | 64 +++++++++++++++++++
|
|
3 files changed, 72 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
|
index 93b42e3f4d6..b2fc0cca348 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
|
@@ -26,7 +26,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..3734328c9e1
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,7 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+
|
|
+{{% set file_contents = """## Successful file delete
|
|
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete""" -%}}
|
|
+
|
|
+{{{- kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules', file_permissions_mode='0600', source=file_contents) }}}
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..35362051948
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,64 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful file deletions (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_delete_success =
|
|
+"## Successful file delete
|
|
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to delete a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_delete_success|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85974-4
|
|
+ cce@rhel9: CCE-85976-9
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_delete_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_delete_success|indent(12) }}}
|
|
+
|
|
+fixtext: |-
|
|
+ Configure {{{ full_name }}} to audit all successful attempts to delete a file.
|
|
+
|
|
+ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules" with the exactly following content:
|
|
+
|
|
+ {{{ file_contents_audit_delete_success|indent(4) }}}
|
|
+
|
|
+ Then, run the following commands:
|
|
+
|
|
+ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
|
+ $ sudo augenrules --load
|
|
|
|
From 3bb8799b634e8ec164a6ff7287df92e9519c1a47 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:16:37 +0200
|
|
Subject: [PATCH 08/18] add audit_modify_failed ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_modify_failed/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 +++++
|
|
.../audit_modify_failed_ppc64le/rule.yml | 57 +++++++++++++++++++
|
|
3 files changed, 73 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
|
index e4d042a50cb..16c7ca38e5a 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
|
@@ -36,7 +36,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..f07ff3607ae
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..d5d11a0f214
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,57 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful file modifications (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_modify_failed =
|
|
+"## Unsuccessful file modifications (open for write or truncate)
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
|
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to modify a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85977-7
|
|
+ cce@rhel9: CCE-85978-5
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_modify_failed|indent(12) }}}
|
|
|
|
From 86196a6512dab40e8bed5a06ea0581f2290d5ad8 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:20:01 +0200
|
|
Subject: [PATCH 09/18] add audit modify_success ppc64le
|
|
|
|
---
|
|
.../audit_modify_success/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 +++++
|
|
.../audit_modify_success_ppc64le/rule.yml | 55 +++++++++++++++++++
|
|
3 files changed, 71 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
|
index 4c65055f577..cafc88f49b7 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
|
@@ -31,7 +31,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..92310b9772e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..e45015e5949
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,55 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful file modifications (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_modify_success =
|
|
+"## Successful file modifications (open for write or truncate)
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
|
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to modify a file are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_modify_success|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85979-3
|
|
+ cce@rhel9: CCE-85980-1
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_modify_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_modify_success|indent(12) }}}
|
|
|
|
From 4b3fc315e2e946f103826ac010a056390c906aca Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:23:45 +0200
|
|
Subject: [PATCH 10/18] add audit_module_load ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_module_load/rule.yml | 3 ++
|
|
.../kubernetes/shared.yml | 15 ++++++
|
|
.../audit_module_load_ppc64le/rule.yml | 52 +++++++++++++++++++
|
|
3 files changed, 70 insertions(+)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
|
index 5e840fca5a3..b04d879a9c0 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
|
@@ -26,6 +26,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+platforms:
|
|
+ - not ppc64le_arch
|
|
+
|
|
identifiers:
|
|
cce@rhel8: CCE-82838-4
|
|
cce@rhel9: CCE-90814-5
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..231034a9c54
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/43-module-load.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..3f59eecec86
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
@@ -0,0 +1,52 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_module_load =
|
|
+"## These rules watch for kernel module insertion. By monitoring
|
|
+## the syscall, we do not need any watches on programs.
|
|
+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
|
|
+-a always,exit -F arch=b64 -S delete_module -F key=module-unload" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that loading and unloading of kernel modules is audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_module_load|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+rationale: |-
|
|
+ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85981-9
|
|
+ cce@rhel9: CCE-85982-7
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/43-module-load.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_module_load|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/43-module-load.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_module_load|indent(12) }}}
|
|
|
|
From 3265584f7f4396ee037f675a4994a1e85e26564b Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 8 Jul 2022 14:34:25 +0200
|
|
Subject: [PATCH 11/18] add audit_ospp_general ppc64le
|
|
|
|
---
|
|
.../policy_rules/audit_ospp_general/rule.yml | 2 +-
|
|
.../kubernetes/shared.yml | 15 ++
|
|
.../audit_ospp_general_ppc64le/rule.yml | 132 ++++++++++++++++++
|
|
3 files changed, 148 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
index e82c5aee936..93417f4cf6d 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
@@ -109,7 +109,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml
|
|
new file mode 100644
|
|
index 00000000000..fa81ece03c6
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml
|
|
@@ -0,0 +1,15 @@
|
|
+---
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
|
|
+apiVersion: machineconfiguration.openshift.io/v1
|
|
+kind: MachineConfig
|
|
+spec:
|
|
+ config:
|
|
+ ignition:
|
|
+ version: 3.1.0
|
|
+ storage:
|
|
+ files:
|
|
+ - contents:
|
|
+ source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A
|
|
+ mode: 0600
|
|
+ path: /etc/audit/rules.d/30-ospp-v42.rules
|
|
+ overwrite: true
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..8d408578c3a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
@@ -0,0 +1,132 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Perform general configuration of Audit for OSPP (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_ospp_general =
|
|
+"## The purpose of these rules is to meet the requirements for Operating
|
|
+## System Protection Profile (OSPP)v4.2. These rules depends on having
|
|
+## the following rule files copied to /etc/audit/rules.d:
|
|
+##
|
|
+## 10-base-config.rules, 11-loginuid.rules,
|
|
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
|
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
|
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
|
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
|
+## 30-ospp-v42-5-perm-change-failed.rules,
|
|
+## 30-ospp-v42-5-perm-change-success.rules,
|
|
+## 30-ospp-v42-6-owner-change-failed.rules,
|
|
+## 30-ospp-v42-6-owner-change-success.rules
|
|
+##
|
|
+## original copies may be found in /usr/share/audit/sample-rules/
|
|
+
|
|
+
|
|
+## User add delete modify. This is covered by pam. However, someone could
|
|
+## open a file and directly create or modify a user, so we'll watch passwd and
|
|
+## shadow for writes
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+
|
|
+## User enable and disable. This is entirely handled by pam.
|
|
+
|
|
+## Group add delete modify. This is covered by pam. However, someone could
|
|
+## open a file and directly create or modify a user, so we'll watch group and
|
|
+## gshadow for writes
|
|
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
+
|
|
+
|
|
+## Use of special rights for config changes. This would be use of setuid
|
|
+## programs that relate to user accts. This is not all setuid apps because
|
|
+## requirements are only for ones that affect system configuration.
|
|
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
+
|
|
+## Privilege escalation via su or sudo. This is entirely handled by pam.
|
|
+
|
|
+## Watch for configuration changes to privilege escalation.
|
|
+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
|
+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
|
+
|
|
+## Audit log access
|
|
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
+## Attempts to Alter Process and Session Initiation Information
|
|
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
+
|
|
+## Attempts to modify MAC controls
|
|
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
|
+
|
|
+## Software updates. This is entirely handled by rpm.
|
|
+
|
|
+## System start and shutdown. This is entirely handled by systemd
|
|
+
|
|
+## Kernel Module loading. This is handled in 43-module-load.rules
|
|
+
|
|
+## Application invocation. The requirements list an optional requirement
|
|
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
|
+## state results from that policy. This would be handled entirely by
|
|
+## that daemon." %}}
|
|
+
|
|
+description: |-
|
|
+ Configure some basic <tt>Audit</tt> parameters specific for OSPP profile.
|
|
+ In particular, configure <tt>Audit</tt> to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration.
|
|
+ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_ospp_general|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with <tt>Audit</tt> logs, malicious access to files storing information about system users and groups etc.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85983-5
|
|
+ cce@rhel9: CCE-85984-3
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_ospp_general|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42.rules
|
|
+ contents: |+
|
|
+ {{{ file_contents_audit_ospp_general|indent(12) }}}
|
|
+#do not remove this comment, it stops Jinja from including more blank lines to the variable
|
|
|
|
From 33d024e126e207e9b1e79b8946bcd2cf4cfc864c Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 11 Jul 2022 11:08:54 +0200
|
|
Subject: [PATCH 12/18] add audit_owner_change_failed ppc64le
|
|
|
|
---
|
|
.../audit_owner_change_failed/rule.yml | 2 +-
|
|
.../rule.yml | 53 +++++++++++++++++++
|
|
shared/references/cce-redhat-avail.txt | 2 -
|
|
3 files changed, 54 insertions(+), 3 deletions(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
|
index 09c29fb1421..630c54693b5 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
|
@@ -28,7 +28,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..6324bb4fd3b
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,53 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful ownership changes (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_owner_change_failed =
|
|
+"## Unsuccessful ownership change
|
|
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
|
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_owner_change_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85985-0
|
|
+ cce@rhel9: CCE-85988-4
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_owner_change_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_owner_change_failed|indent(12) }}}
|
|
|
|
From a7d6fd67d0916baa324d9d342073b93f386004ce Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 11 Jul 2022 11:11:38 +0200
|
|
Subject: [PATCH 13/18] add audit_owner_change_success aarch64
|
|
|
|
---
|
|
.../audit_owner_change_success/rule.yml | 2 +-
|
|
.../rule.yml | 52 +++++++++++++++++++
|
|
shared/references/cce-redhat-avail.txt | 2 -
|
|
3 files changed, 53 insertions(+), 3 deletions(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
|
index 934739fd043..744249d8740 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
|
@@ -26,7 +26,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..62639140885
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,52 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful ownership changes (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_owner_change_success =
|
|
+"## Successful ownership change
|
|
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to change an ownership of files or directories are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_owner_change_success|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85997-5
|
|
+ cce@rhel9: CCE-85998-3
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_owner_change_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_owner_change_success|indent(12) }}}
|
|
|
|
From 0e86aaed2dbe0d215d73e02565ab7eaefe803c70 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 11 Jul 2022 11:13:57 +0200
|
|
Subject: [PATCH 14/18] add audit_perm_change_failed for ppc64le
|
|
|
|
---
|
|
.../audit_perm_change_failed/rule.yml | 2 +-
|
|
.../audit_perm_change_failed_ppc64le/rule.yml | 53 +++++++++++++++++++
|
|
shared/references/cce-redhat-avail.txt | 2 -
|
|
3 files changed, 54 insertions(+), 3 deletions(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
|
index 3f7db62b615..0870d41738e 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
|
@@ -28,7 +28,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..e55de06efc0
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
@@ -0,0 +1,53 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of unsuccessful permission changes (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_perm_change_failed =
|
|
+"## Unsuccessful permission change
|
|
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
|
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that unsuccessful attempts to change file or directory permissions are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_perm_change_failed|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-85999-1
|
|
+ cce@rhel9: CCE-86000-7
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_perm_change_failed|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_perm_change_failed|indent(12) }}}
|
|
|
|
From c4df26914cc7dc0911f08950be391a31faae8d63 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 11 Jul 2022 11:16:05 +0200
|
|
Subject: [PATCH 15/18] add audit_perm_change_success ppc64le
|
|
|
|
---
|
|
.../audit_perm_change_success/rule.yml | 2 +-
|
|
.../rule.yml | 52 +++++++++++++++++++
|
|
shared/references/cce-redhat-avail.txt | 2 -
|
|
3 files changed, 53 insertions(+), 3 deletions(-)
|
|
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
|
index 4a67bfde428..e0ff8648348 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
|
@@ -26,7 +26,7 @@ rationale: |-
|
|
# so do not apply this rule but apply the specific one instead
|
|
{{% if product == "rhel9" %}}
|
|
platforms:
|
|
- - not aarch64_arch
|
|
+ - not aarch64_arch and not ppc64le_arch
|
|
{{% endif %}}
|
|
|
|
identifiers:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..0cbb0f60e0c
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
@@ -0,0 +1,52 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+
|
|
+title: 'Configure auditing of successful permission changes (ppc64le)'
|
|
+
|
|
+{{% set file_contents_audit_perm_change_success =
|
|
+"## Successful permission change
|
|
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change" %}}
|
|
+
|
|
+description: |-
|
|
+ Ensure that successful attempts to modify permissions of files or directories are audited.
|
|
+
|
|
+ The following rules configure audit as described above:
|
|
+ <pre>{{{ file_contents_audit_perm_change_success|indent }}} </pre>
|
|
+
|
|
+ Load new Audit rules into kernel by running:
|
|
+ <pre>augenrules --load</pre>
|
|
+
|
|
+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
|
+
|
|
+rationale: |-
|
|
+ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platforms:
|
|
+ - ppc64le_arch
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-86001-5
|
|
+ cce@rhel9: CCE-86002-3
|
|
+
|
|
+references:
|
|
+ nist: AU-2(a)
|
|
+ ospp: FAU_GEN.1.1.c
|
|
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
|
+
|
|
+ocil_clause: 'the file does not exist or the content differs'
|
|
+
|
|
+ocil: |-
|
|
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
|
|
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules</pre>
|
|
+ The output has to be exactly as follows:
|
|
+ <pre>{{{ file_contents_audit_perm_change_success|indent }}} </pre>
|
|
+
|
|
+template:
|
|
+ name: audit_file_contents
|
|
+ vars:
|
|
+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
|
+ contents: |-
|
|
+ {{{ file_contents_audit_perm_change_success|indent(12) }}}
|
|
|
|
From af066dd83f416d40eabe8b9cec584f726b37f14e Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 11 Jul 2022 11:42:46 +0200
|
|
Subject: [PATCH 16/18] add new rules to rhel9 ospp profile
|
|
|
|
---
|
|
products/rhel9/profiles/ospp.profile | 16 ++++++++++++++++
|
|
1 file changed, 16 insertions(+)
|
|
|
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
|
index 1c97558669f..41930e4b840 100644
|
|
--- a/products/rhel9/profiles/ospp.profile
|
|
+++ b/products/rhel9/profiles/ospp.profile
|
|
@@ -279,35 +279,51 @@ selections:
|
|
- audit_immutable_login_uids
|
|
- audit_create_failed
|
|
- audit_create_failed_aarch64
|
|
+ - audit_create_failed_ppc64le
|
|
- audit_create_success
|
|
- audit_create_success_aarch64
|
|
+ - audit_create_success_ppc64le
|
|
- audit_modify_failed
|
|
- audit_modify_failed_aarch64
|
|
+ - audit_modify_failed_ppc64le
|
|
- audit_modify_success
|
|
- audit_modify_success_aarch64
|
|
+ - audit_modify_success_ppc64le
|
|
- audit_access_failed
|
|
- audit_access_failed_aarch64
|
|
+ - audit_access_failed_ppc64le
|
|
- audit_access_success
|
|
- audit_access_success.severity=info
|
|
- audit_access_success.role=unscored
|
|
- audit_access_success_aarch64
|
|
- audit_access_success_aarch64.severity=info
|
|
- audit_access_success_aarch64.role=unscored
|
|
+ - audit_access_success_ppc64le
|
|
+ - audit_access_success_ppc64le.severity=info
|
|
+ - audit_access_success_ppc64le.role=unscored
|
|
- audit_delete_failed
|
|
- audit_delete_failed_aarch64
|
|
+ - audit_delete_failed_ppc64le
|
|
- audit_delete_success
|
|
- audit_delete_success_aarch64
|
|
+ - audit_delete_success_ppc64le
|
|
- audit_perm_change_failed
|
|
- audit_perm_change_failed_aarch64
|
|
+ - audit_perm_change_failed_ppc64le
|
|
- audit_perm_change_success
|
|
- audit_perm_change_success_aarch64
|
|
+ - audit_perm_change_success_ppc64le
|
|
- audit_owner_change_failed
|
|
- audit_owner_change_failed_aarch64
|
|
+ - audit_owner_change_failed_ppc64le
|
|
- audit_owner_change_success
|
|
- audit_owner_change_success_aarch64
|
|
+ - audit_owner_change_success_ppc64le
|
|
- audit_ospp_general
|
|
- audit_ospp_general_aarch64
|
|
+ - audit_ospp_general_ppc64le
|
|
- audit_module_load
|
|
+ - audit_module_load_ppc64le
|
|
|
|
## Enable Automatic Software Updates
|
|
## SI-2 / FMT_MOF_EXT.1 (FMT_SMF_EXT.1)
|
|
|
|
From 1fb5a22850fb1bfbaee76422ef57b3b631d4c91f Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Fri, 15 Jul 2022 10:40:07 +0200
|
|
Subject: [PATCH 17/18] make newly added rules RHEL9 only
|
|
|
|
- change their prodtype to rhel9
|
|
- return rhel8 cces back to the pool
|
|
- make the platform in generic rule applicable only on rhel9 since on rhel8 the file content is the same regardless of the architecture
|
|
- remove rules from rhel8 profiles
|
|
---
|
|
.../policy_rules/audit_access_failed/rule.yml | 4 ++++
|
|
.../audit_access_failed_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_access_success/rule.yml | 4 ++++
|
|
.../audit_access_success_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_create_failed/rule.yml | 4 ++++
|
|
.../audit_create_failed_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_create_success/rule.yml | 4 ++++
|
|
.../audit_create_success_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_delete_failed/rule.yml | 5 ++++-
|
|
.../audit_delete_failed_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_delete_success/rule.yml | 4 ++++
|
|
.../audit_delete_success_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_modify_failed/rule.yml | 4 ++++
|
|
.../audit_modify_failed_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_modify_success/rule.yml | 4 ++++
|
|
.../audit_modify_success_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_module_load/rule.yml | 4 ++++
|
|
.../audit_module_load_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_ospp_general/rule.yml | 4 ++++
|
|
.../audit_ospp_general_ppc64le/rule.yml | 3 +--
|
|
.../audit_owner_change_failed/rule.yml | 4 ++++
|
|
.../audit_owner_change_failed_ppc64le/rule.yml | 3 +--
|
|
.../audit_owner_change_success/rule.yml | 4 ++++
|
|
.../audit_owner_change_success_ppc64le/rule.yml | 3 +--
|
|
.../policy_rules/audit_perm_change_failed/rule.yml | 4 ++++
|
|
.../audit_perm_change_failed_ppc64le/rule.yml | 3 +--
|
|
.../audit_perm_change_success/rule.yml | 4 ++++
|
|
.../audit_perm_change_success_ppc64le/rule.yml | 3 +--
|
|
shared/references/cce-redhat-avail.txt | 14 ++++++++++++++
|
|
29 files changed, 84 insertions(+), 29 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
index f764da506e9..6547b12e349 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful file accesses (ppc64le)'
|
|
|
|
@@ -29,7 +29,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85953-8
|
|
cce@rhel9: CCE-85955-3
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
index b76fe0b4a4e..6ec2fc3b32d 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful file accesses (ppc64le)'
|
|
|
|
@@ -29,7 +29,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85960-3
|
|
cce@rhel9: CCE-85961-1
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
index ead598f8b9a..7af3f3b5bbb 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful file creations (ppc64le)'
|
|
|
|
@@ -33,7 +33,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85962-9
|
|
cce@rhel9: CCE-85965-2
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
index 294947c14ba..87bfe3de933 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful file creations (ppc64le)'
|
|
|
|
@@ -30,7 +30,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85966-0
|
|
cce@rhel9: CCE-85968-6
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
index c8c532cb3bb..30279c88b23 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful file deletions (ppc64le)'
|
|
|
|
@@ -29,7 +29,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85969-4
|
|
cce@rhel9: CCE-85970-2
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
index 35362051948..220e5d9ca78 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful file deletions (ppc64le)'
|
|
|
|
@@ -28,7 +28,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85974-4
|
|
cce@rhel9: CCE-85976-9
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
index d5d11a0f214..ae0931dcee3 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful file modifications (ppc64le)'
|
|
|
|
@@ -33,7 +33,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85977-7
|
|
cce@rhel9: CCE-85978-5
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
index e45015e5949..4c4b1c7d8e0 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful file modifications (ppc64le)'
|
|
|
|
@@ -31,7 +31,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85979-3
|
|
cce@rhel9: CCE-85980-1
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
index 3f59eecec86..4f8b06c5e2f 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)'
|
|
|
|
@@ -28,7 +28,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85981-9
|
|
cce@rhel9: CCE-85982-7
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
index 8d408578c3a..3fe9257c0cc 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Perform general configuration of Audit for OSPP (ppc64le)'
|
|
|
|
@@ -107,7 +107,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85983-5
|
|
cce@rhel9: CCE-85984-3
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
index 6324bb4fd3b..f0a7c78dd14 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful ownership changes (ppc64le)'
|
|
|
|
@@ -29,7 +29,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85985-0
|
|
cce@rhel9: CCE-85988-4
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
index 62639140885..dd0cf8d7cca 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful ownership changes (ppc64le)'
|
|
|
|
@@ -28,7 +28,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85997-5
|
|
cce@rhel9: CCE-85998-3
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
index e55de06efc0..71e5354753e 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of unsuccessful permission changes (ppc64le)'
|
|
|
|
@@ -29,7 +29,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-85999-1
|
|
cce@rhel9: CCE-86000-7
|
|
|
|
references:
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
index 0cbb0f60e0c..282a2e316f4 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol8,ol9,rhcos4,rhel8,rhel9
|
|
+prodtype: rhel9
|
|
|
|
title: 'Configure auditing of successful permission changes (ppc64le)'
|
|
|
|
@@ -28,7 +28,6 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel8: CCE-86001-5
|
|
cce@rhel9: CCE-86002-3
|
|
|
|
references:
|
|
|
|
From 3b4bc8b3bec38c27e67bde1ad34ff42c85e7cd94 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 18 Jul 2022 14:12:08 +0200
|
|
Subject: [PATCH 18/18] fix CCE assignments after rebase
|
|
|
|
---
|
|
.../audit_access_failed_ppc64le/rule.yml | 2 +-
|
|
.../audit_access_success_ppc64le/rule.yml | 2 +-
|
|
.../audit_create_failed_ppc64le/rule.yml | 2 +-
|
|
.../audit_create_success_ppc64le/rule.yml | 2 +-
|
|
.../audit_delete_failed_ppc64le/rule.yml | 2 +-
|
|
.../audit_delete_success_ppc64le/rule.yml | 2 +-
|
|
.../audit_modify_failed_ppc64le/rule.yml | 2 +-
|
|
.../audit_modify_success_ppc64le/rule.yml | 2 +-
|
|
.../audit_module_load_ppc64le/rule.yml | 2 +-
|
|
.../audit_ospp_general_ppc64le/rule.yml | 2 +-
|
|
shared/references/cce-redhat-avail.txt | 20 -------------------
|
|
11 files changed, 10 insertions(+), 30 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
index 6547b12e349..222290c9dd7 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml
|
|
@@ -29,7 +29,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85955-3
|
|
+ cce@rhel9: CCE-86001-5
|
|
|
|
references:
|
|
ism: 0582,0584,05885,0586,0846,0957
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
index 6ec2fc3b32d..0091db466df 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml
|
|
@@ -29,7 +29,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85961-1
|
|
+ cce@rhel9: CCE-85999-1
|
|
|
|
references:
|
|
ism: 0582,0584,05885,0586,0846,0957
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
index 7af3f3b5bbb..c85274a3540 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml
|
|
@@ -33,7 +33,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85965-2
|
|
+ cce@rhel9: CCE-85997-5
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
index 87bfe3de933..54eb4be972d 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml
|
|
@@ -30,7 +30,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85968-6
|
|
+ cce@rhel9: CCE-85985-0
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
index 30279c88b23..123a38cc0c6 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml
|
|
@@ -29,7 +29,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85970-2
|
|
+ cce@rhel9: CCE-90787-3
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
index 220e5d9ca78..f127ee47197 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml
|
|
@@ -28,7 +28,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85976-9
|
|
+ cce@rhel9: CCE-90789-9
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
index ae0931dcee3..22a90d645e3 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml
|
|
@@ -33,7 +33,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85978-5
|
|
+ cce@rhel9: CCE-90790-7
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
index 4c4b1c7d8e0..94b15c57c2f 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml
|
|
@@ -31,7 +31,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85980-1
|
|
+ cce@rhel9: CCE-90791-5
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
index 4f8b06c5e2f..486f0ba2d9e 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml
|
|
@@ -28,7 +28,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85982-7
|
|
+ cce@rhel9: CCE-90788-1
|
|
|
|
references:
|
|
nist: AU-2(a)
|
|
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
index 3fe9257c0cc..cb712714c19 100644
|
|
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml
|
|
@@ -107,7 +107,7 @@ platforms:
|
|
- ppc64le_arch
|
|
|
|
identifiers:
|
|
- cce@rhel9: CCE-85984-3
|
|
+ cce@rhel9: CCE-90786-5
|
|
|
|
references:
|
|
nist: AU-2(a)
|