scap-security-guide/SOURCES/scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch
2021-09-10 04:19:00 +00:00

4579 lines
281 KiB
Diff

From fdc04fed4ae88d0114540a524f5170b19e2b0d19 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 17:17:23 +0200
Subject: [PATCH 01/21] Enable audit rules in RHEL8 STIG.
---
.../audit_rules_execution_chacl/rule.yml | 2 +-
.../audit_rules_execution_setfacl/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 171 +++++++++++-------
6 files changed, 110 insertions(+), 71 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 8c8b0cbda8..28125b692b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
title: 'Record Any Attempts to Run chacl'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index dcd62891f1..43fe86106c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
title: 'Record Any Attempts to Run setfacl'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index d2ff46792c..dbba6f8636 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
index 58d0aef7a5..b9f68d0712 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
title: 'Record Any Attempts to Run ssh-agent'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index 6fa14649be..b4c8a8f2cb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index f66b2a24a7..c3eee7fae0 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -652,167 +652,206 @@ selections:
# ************ #
# RHEL-08-030121
- # - audit_rules_immutable
+ - audit_rules_immutable
# RHEL-08-030122
- # - audit_immutable_login_uids
+ - audit_immutable_login_uids
# RHEL-08-030130
- # - audit_rules_usergroup_modification_shadow
+ - audit_rules_usergroup_modification_shadow
# RHEL-08-030140
- # - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_opasswd
# RHEL-08-030150
- # - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_passwd
# RHEL-08-030160
- # - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_gshadow
# RHEL-08-030170
- # - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_group
- # RHEL-08-030171, RHEL-08-030172
+ # RHEL-08-030171
+ # should be split
# - audit_rules_sysadmin_actions
+ # RHEL-08-030172
+ - audit_rules_sysadmin_actions
+
# RHEL-08-030180
- package_audit_installed
- service_auditd_enabled
# RHEL-08-030190
- # - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_su
+
+ # RHEL-08-030200
+ - audit_rules_dac_modification_lremovexattr
+
+ # RHEL-08-030210
+ - audit_rules_dac_modification_removexattr
+
+ # RHEL-08-030220
+ - audit_rules_dac_modification_lsetxattr
- # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240
- # - audit_perm_change_failed
- # - audit_perm_change_success
+ # RHEL-08-030230
+ - audit_rules_dac_modification_fsetxattr
+
+ # RHEL-08-030240
+ - audit_rules_dac_modification_fremovexattr
# RHEL-08-030250
- # - audit_rules_privileged_commands_chage
+ - audit_rules_privileged_commands_chage
# RHEL-08-030260
- # - audit_rules_execution_chcon
+ - audit_rules_execution_chcon
# RHEL-08-030270
- # - audit_perm_change_failed
- # - audit_perm_change_success
+ - audit_rules_dac_modification_setxattr
# RHEL-08-030280
+ - audit_rules_privileged_commands_ssh_agent
+
+ # RHEL-08-030290
+ - audit_rules_privileged_commands_passwd
- # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301
- # - audit_ospp_general
+ # RHEL-08-030300
+ - audit_rules_privileged_commands_mount
+
+ # RHEL-08-030301
+ - audit_rules_privileged_commands_umount
# RHEL-08-030302
- # - audit_rules_media_export
+ - audit_rules_media_export
# RHEL-08-030310
+ # missing rule
# RHEL-08-030311
- # - audit_rules_privileged_commands_postdrop
+ - audit_rules_privileged_commands_postdrop
# RHEL-08-030312
- # - audit_rules_privileged_commands_postqueue
+ - audit_rules_privileged_commands_postqueue
# RHEL-08-030313
- # - audit_rules_execution_semanage
+ - audit_rules_execution_semanage
# RHEL-08-030314
- # - audit_rules_execution_setfiles
+ - audit_rules_execution_setfiles
# RHEL-08-030315
- # - audit_ospp_general
+ - audit_rules_privileged_commands_userhelper
# RHEL-08-030316
- # - audit_rules_execution_setsebool
+ - audit_rules_execution_setsebool
# RHEL-08-030317
- # - audit_ospp_general
+ - audit_rules_privileged_commands_unix_chkpwd
# RHEL-08-030320
- # - audit_rules_privileged_commands_ssh_keysign
+ - audit_rules_privileged_commands_ssh_keysign
# RHEL-08-030330
+ - audit_rules_execution_setfacl
# RHEL-08-030340
- # - audit_rules_privileged_commands_pam_timestamp_check
+ - audit_rules_privileged_commands_pam_timestamp_check
# RHEL-08-030350
- # - audit_ospp_general
+ - audit_rules_privileged_commands_newgrp
# RHEL-08-030360
- # - audit_module_load
+ - audit_rules_kernel_module_loading_init
+
+ # RHEL-08-030361
+ - audit_rules_file_deletion_events_rename
- # RHEL-08-030361, RHEL-08-030362
- # - audit_delete_failed
- # - audit_delete_success
+ # RHEL-08-030362
+ - audit_rules_file_deletion_events_renameat
# RHEL-08-030363
+ - audit_rules_file_deletion_events_rmdir
- # RHEL-08-030364, RHEL-08-030365
- # - audit_delete_failed
- # - audit_delete_success
+ # RHEL-08-030364
+ - audit_rules_file_deletion_events_unlink
+
+ # RHEL-08-030365
+ - audit_rules_file_deletion_events_unlinkat
# RHEL-08-030370
- # - audit_ospp_general
+ - audit_rules_privileged_commands_gpasswd
+
+ # RHEL-08-030380
+ - audit_rules_kernel_module_loading_finit
- # RHEL-08-030380, RHEL-08-030390
- # - audit_module_load
+ # RHEL-08-030390
+ - audit_rules_kernel_module_loading_delete
# RHEL-08-030400
- # - audit_ospp_general
+ - audit_rules_privileged_commands_crontab
# RHEL-08-030410
- # - audit_rules_privileged_commands_chsh
+ - audit_rules_privileged_commands_chsh
# RHEL-08-030420
- # - audit_modify_failed
- # - audit_modify_success
+ - audit_rules_unsuccessful_file_modification_truncate
+
+ # RHEL-08-030430
+ - audit_rules_unsuccessful_file_modification_openat
+
+ # RHEL-08-030440
+ - audit_rules_unsuccessful_file_modification_open
- # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450
- # - audit_create_failed
- # - audit_create_success
- # - audit_modify_failed
- # - audit_modify_success
- # - audit_access_failed
- # - audit_access_success
+ # RHEL-08-030450
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
# RHEL-08-030460
- # - audit_modify_failed
- # - audit_modify_success
+ - audit_rules_unsuccessful_file_modification_ftruncate
# RHEL-08-030470
- # - audit_create_failed
- # - audit_create_success
+ - audit_rules_unsuccessful_file_modification_creat
# RHEL-08-030480
- # - audit_owner_change_failed
- # - audit_owner_change_success
+ - audit_rules_dac_modification_chown
# RHEL-08-030490
- # - audit_perm_change_failed
- # - audit_perm_change_success
+ - audit_rules_dac_modification_chmod
+
+ # RHEL-08-030500
+ - audit_rules_dac_modification_lchown
+
+ # RHEL-08-030510
+ - audit_rules_dac_modification_fchownat
+
+ # RHEL-08-030520
+ - audit_rules_dac_modification_fchown
- # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520
- # - audit_owner_change_failed
- # - audit_owner_change_success
+ # RHEL-08-030530
+ - audit_rules_dac_modification_fchmodat
- # RHEL-08-030530, RHEL-08-030540
- # - audit_perm_change_failed
- # - audit_perm_change_success
+ # RHEL-08-030540
+ - audit_rules_dac_modification_fchmod
# RHEL-08-030550
- # - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_sudo
# RHEL-08-030560
+ - audit_rules_privileged_commands_usermod
# RHEL-08-030570
+ - audit_rules_execution_chacl
# RHEL-08-030580
+ - audit_rules_privileged_commands_kmod
# RHEL-08-030590
+ # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
+ # implemented as it is the one that configures a different patch for the events of failing locks
# - audit_rules_login_events_faillock
# RHEL-08-030600
- # - audit_rules_login_events_lastlog
+ - audit_rules_login_events_lastlog
# RHEL-08-030601
- grub2_audit_argument
From e88a8ad0bece18a8b7dcd350af9706134c827458 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:00:18 +0200
Subject: [PATCH 02/21] Update audit template to include perm=x for binaries.
---
.../audit_rules_privileged_commands/ansible.template | 2 +-
.../templates/audit_rules_privileged_commands/bash.template | 2 +-
.../templates/audit_rules_privileged_commands/oval.template | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index 0a0f06fba2..ec7b7d7605 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -26,7 +26,7 @@
- "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
- name: Inserts/replaces the {{{ NAME }}} rule in rules.d
lineinfile:
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 85dbc9b828..100a4770bf 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -7,7 +7,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
-FULL_RULE="-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
+FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index c68df7671f..151a9d5d47 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -23,7 +23,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
{{% else %}}
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
@@ -36,7 +36,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
{{% else %}}
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
From 78134285266b3d559d8eb89d9dd4b68d37de7a26 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:01:57 +0200
Subject: [PATCH 03/21] Remove remediation that copies entire ospp audit rules
file.
---
.../bash/shared.sh | 6 ------
.../bash/shared.sh | 6 ------
.../bash/shared.sh | 6 ------
3 files changed, 18 deletions(-)
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
deleted file mode 100644
index c93a8d8805..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
deleted file mode 100644
index c93a8d8805..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh
deleted file mode 100644
index 1e021c4f80..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
From e6cb5c196e18d9dddf4c1754a438e4a6b8f8b214 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:02:46 +0200
Subject: [PATCH 04/21] Use audit template in kmod privileged command.
Make SLE content specific to their product.
---
.../ansible/{shared.yml => sle12.yml} | 0
.../ansible/sle15.yml | 42 +++++++++++++++++++
.../oval/{shared.xml => sle12.xml} | 0
.../oval/sle15.xml | 39 +++++++++++++++++
.../rule.yml | 5 +++
5 files changed, 86 insertions(+)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/{shared.yml => sle12.yml} (100%)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/{shared.xml => sle12.xml} (100%)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
new file mode 100644
index 0000000000..6d128bc207
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
@@ -0,0 +1,42 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Service facts
+ service_facts:
+
+- name: Check the rules script being used
+ command:
+ grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+ register: check_rules_scripts_result
+
+- name: Update kmod in /etc/audit/rules.d/audit.rules
+ lineinfile:
+ path: /etc/audit/rules.d/audit.rules
+ line: '-w /usr/bin/kmod -p x -k modules'
+ create: yes
+ when:
+ - '"auditd.service" in ansible_facts.services'
+ - '"augenrules" in check_rules_scripts_result.stdout'
+ register: augenrules_audit_rules_kmod_update_result
+
+- name: Update kmod in /etc/audit/audit.rules
+ lineinfile:
+ path: /etc/audit/audit.rules
+ line: '-w /usr/bin/kmod -p x -k modules'
+ create: yes
+ when:
+ - '"auditd.service" in ansible_facts.services'
+ - '"auditctl" in check_rules_scripts_result.stdout'
+ register: auditctl_audit_rules_kmod_update_result
+
+- name: Restart auditd.service
+ systemd:
+ name: auditd.service
+ state: restarted
+ when:
+ - (augenrules_audit_rules_kmod_update_result.changed or
+ auditctl_audit_rules_kmod_update_result.changed)
+ - ansible_facts.services["auditd.service"].state == "running"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml
new file mode 100644
index 0000000000..4fb3d2fc1c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml
@@ -0,0 +1,39 @@
+<def-group>
+ <definition class="compliance" id="audit_rules_privileged_commands_kmod" version="1">
+ {{{ oval_metadata("Ensure audit rule for all uses of the kmod command is enabled.") }}}
+
+ <criteria operator="OR">
+
+ <!-- Test the augenrules case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+ <criterion comment="audit augenrules kmod" test_ref="test_kmod_augenrules" />
+ </criteria>
+
+ <!-- Test the auditctl case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+ <criterion comment="audit auditctl kmod" test_ref="test_kmod_auditctl" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules kmod" id="test_kmod_augenrules" version="1">
+ <ind:object object_ref="object_kmod_augenrules" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_kmod_augenrules" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl kmod" id="test_kmod_auditctl" version="1">
+ <ind:object object_ref="object_kmod_auditctl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_kmod_auditctl" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index dbba6f8636..168d5c51fc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -53,3 +53,8 @@ ocil: |-
return a line, or the line is commented out, this is a finding.
platform: machine
+
+template:
+ name: audit_rules_privileged_commands
+ vars:
+ path: /usr/bin/kmod
From 12e793f8340a48418214e73e05248e259c7d16b5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:56:03 +0200
Subject: [PATCH 05/21] Extend audit_rules_dac_modification to support auid=0
checking.
---
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../bash.template | 16 +++++-
.../oval.template | 53 +++++++++++++++++++
.../audit_rules_dac_modification/template.py | 7 +++
9 files changed, 81 insertions(+), 1 deletion(-)
create mode 100644 shared/templates/audit_rules_dac_modification/template.py
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index d5ff634e95..294a7ebfd2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -78,3 +78,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: fremovexattr
+ check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 034a22a987..9b01a07515 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -73,3 +73,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: fsetxattr
+ check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 2245a13e11..577af632aa 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -78,3 +78,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: lremovexattr
+ check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 6218e6fc10..d6be12af63 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -71,3 +71,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: lsetxattr
+ check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 6565d3fcc2..982d6d377c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -77,3 +77,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: removexattr
+ check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 7babe9d2a7..71c31e2d15 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -73,3 +73,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: setxattr
+ check_root_user: "true"
diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index f0d3b6978a..a10a9145b2 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -9,7 +9,7 @@
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*"
+ PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
@@ -17,3 +17,17 @@ do
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
+
+
+{{% if CHECK_ROOT_USER %}}
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"
+ GROUP="perm_mod"
+ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done
+{{% endif %}}
diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template
index 5b1bf5dc6d..6e02cc7f09 100644
--- a/shared/templates/audit_rules_dac_modification/oval.template
+++ b/shared/templates/audit_rules_dac_modification/oval.template
@@ -7,11 +7,19 @@
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% if CHECK_ROOT_USER %}}
+ <criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+{{% endif %}}
+
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
<criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% if CHECK_ROOT_USER %}}
+ <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% endif %}}
+
</criteria>
</criteria>
@@ -19,11 +27,17 @@
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit auditctl 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_auditctl" />
+{{% if CHECK_ROOT_USER %}}
+ <criterion comment="audit auditctl 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+{{% endif %}}
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
<criterion comment="audit auditctl 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_auditctl" />
+{{% if CHECK_ROOT_USER %}}
+ <criterion comment="audit auditctl 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+{{% endif %}}
</criteria>
</criteria>
@@ -66,4 +80,43 @@
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+{{% if CHECK_ROOT_USER %}}
+
+ <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit {{{ ATTR }}} auid=0" id="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+ <ind:object object_ref="object_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit {{{ ATTR }}}" id="test_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+ <ind:object object_ref="object_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit {{{ ATTR }}}" id="test_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+ <ind:object object_ref="object_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit {{{ ATTR }}}" id="test_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+ <ind:object object_ref="object_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+{{% endif %}}
+
</def-group>
diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py
new file mode 100644
index 0000000000..e12e9c27e5
--- /dev/null
+++ b/shared/templates/audit_rules_dac_modification/template.py
@@ -0,0 +1,7 @@
+from ssg.utils import parse_template_boolean_value
+
+
+def preprocess(data, lang):
+ data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)
+
+ return data
From af8b663e00889010ac4d99fb0988aacf6b3ce651 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 17 May 2021 18:07:30 +0200
Subject: [PATCH 06/21] Simplify perm=x code around
audit_rules_privileged_commands template.
Also change the OVAL check regex to make it mandatory by removing the ?
character from the regex.
---
.../oval.template | 4 +--
.../ansible.template | 26 ++++---------------
.../bash.template | 5 +++-
.../oval.template | 15 ++++-------
4 files changed, 16 insertions(+), 34 deletions(-)
diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template
index 6e02cc7f09..8f30bef022 100644
--- a/shared/templates/audit_rules_dac_modification/oval.template
+++ b/shared/templates/audit_rules_dac_modification/oval.template
@@ -10,14 +10,14 @@
{{% if CHECK_ROOT_USER %}}
<criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
{{% endif %}}
-
+
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
<criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
{{% if CHECK_ROOT_USER %}}
- <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+ <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
{{% endif %}}
</criteria>
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index ec7b7d7605..a245de6673 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
# strategy = restrict
@@ -26,12 +29,11 @@
- "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
- name: Inserts/replaces the {{{ NAME }}} rule in rules.d
lineinfile:
path: "{{ all_files[0] }}"
- line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+ line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
create: yes
# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
@@ -39,23 +41,5 @@
- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
- line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+ line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
create: yes
-
-{{% else %}}
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d
- lineinfile:
- path: "{{ all_files[0] }}"
- line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
- create: yes
-
-# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules
- lineinfile:
- path: /etc/audit/audit.rules
- line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
- create: yes
-
-{{% endif %}}
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 100a4770bf..2b3795674f 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
@@ -7,7 +10,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
+FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index 151a9d5d47..8e3919ca66 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+ {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
+{{%- endif %}}
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}}
@@ -23,11 +26,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% else %}}
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% endif %}}
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -36,11 +35,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% else %}}
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% endif %}}
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From 4cf80fd7eff49d6e14852947e76a302ca2993db7 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:04:14 +0200
Subject: [PATCH 07/21] Fix audit bash remediation to remove the auid!=unset
when using auid=0.
---
shared/templates/audit_rules_dac_modification/bash.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index a10a9145b2..d64d264635 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -24,7 +24,7 @@ for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"
GROUP="perm_mod"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
From 0833b43bfa039c4ee661049fb25b86ef3854b614 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:04:55 +0200
Subject: [PATCH 08/21] Update audit_rules_dac_modification ansible remediation
with auid=0 fix.
---
.../ansible.template | 36 +++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index 70101ca777..d048978456 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -40,12 +40,29 @@
line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
create: yes
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86
+ lineinfile:
+ path: "{{ all_files[0] }}"
+ line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+ create: yes
+{{%- endif %}}
+
- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64
lineinfile:
path: "{{ all_files[0] }}"
line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
create: yes
when: audit_arch is defined and audit_arch == 'b64'
+
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64
+ lineinfile:
+ path: "{{ all_files[0] }}"
+ line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+ create: yes
+ when: audit_arch is defined and audit_arch == 'b64'
+{{%- endif %}}
#
# Inserts/replaces the rule in /etc/audit/audit.rules
#
@@ -56,6 +73,15 @@
dest: /etc/audit/audit.rules
create: yes
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86
+ lineinfile:
+ line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+ state: present
+ dest: /etc/audit/audit.rules
+ create: yes
+{{%- endif %}}
+
- name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64
lineinfile:
line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
@@ -63,3 +89,13 @@
dest: /etc/audit/audit.rules
create: yes
when: audit_arch is defined and audit_arch == 'b64'
+
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64
+ lineinfile:
+ line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+ state: present
+ dest: /etc/audit/audit.rules
+ create: yes
+ when: audit_arch is defined and audit_arch == 'b64'
+{{%- endif %}}
From 314251db8fbff07ac4b796944381f9bb1eef05c2 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:05:42 +0200
Subject: [PATCH 09/21] Update audit_rules_dac_modification rules description.
Make the check_user_root template parameter only applicable to RHEL8.
---
.../rule.yml | 14 +++++++++++++-
.../rule.yml | 14 +++++++++++++-
.../rule.yml | 14 +++++++++++++-
.../rule.yml | 14 +++++++++++++-
.../rule.yml | 14 +++++++++++++-
.../audit_rules_dac_modification_setxattr/rule.yml | 14 +++++++++++++-
6 files changed, 78 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index 294a7ebfd2..e1a2492c4c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -11,17 +11,29 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -78,4 +90,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: fremovexattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 9b01a07515..4c27cbf7fb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -73,4 +85,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: fsetxattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 577af632aa..ad034bc570 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -11,17 +11,29 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -78,4 +90,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: lremovexattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index d6be12af63..a3895bd4c7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -71,4 +83,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: lsetxattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 982d6d377c..eee86b99de 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -10,17 +10,29 @@ description: |-
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -77,4 +89,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: removexattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 71c31e2d15..4a90ed9f96 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+ <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
rationale: |-
The changing of file permissions could indicate that a user is attempting to
@@ -73,4 +85,4 @@ template:
name: audit_rules_dac_modification
vars:
attr: setxattr
- check_root_user: "true"
+ check_root_user@rhel8: "true"
From 48ce4b6e4803f92291c44acc990bd6a61baf4128 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 16:54:48 +0200
Subject: [PATCH 10/21] Remove rule that is selected twice in RHEL8 STIG
profile.
It's already part of the following STIG id:
# RHEL-08-010560
- service_auditd_enabled
---
products/rhel8/profiles/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index c3eee7fae0..3cbb4796ac 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -681,7 +681,6 @@ selections:
# RHEL-08-030180
- package_audit_installed
- - service_auditd_enabled
# RHEL-08-030190
- audit_rules_privileged_commands_su
From 7f23cee71a3fc1791b26c4e59339d73063fe867e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 2 Aug 2021 15:36:55 +0200
Subject: [PATCH 11/21] Fix RHEL8 STIG id references in audit rules.
---
.../audit_rules_dac_modification_chmod/rule.yml | 3 ++-
.../audit_rules_dac_modification_chown/rule.yml | 3 ++-
.../audit_rules_dac_modification_fchmod/rule.yml | 3 ++-
.../audit_rules_dac_modification_fchmodat/rule.yml | 3 ++-
.../audit_rules_dac_modification_fchown/rule.yml | 3 ++-
.../audit_rules_dac_modification_fchownat/rule.yml | 3 ++-
.../audit_rules_dac_modification_fremovexattr/rule.yml | 3 ++-
.../audit_rules_dac_modification_fsetxattr/rule.yml | 3 ++-
.../audit_rules_dac_modification_lchown/rule.yml | 3 ++-
.../audit_rules_dac_modification_lremovexattr/rule.yml | 3 ++-
.../audit_rules_dac_modification_lsetxattr/rule.yml | 3 ++-
.../audit_rules_dac_modification_removexattr/rule.yml | 5 +++--
.../audit_rules_dac_modification_setxattr/rule.yml | 3 ++-
.../audit_rules_execution_chacl/rule.yml | 4 +++-
.../audit_rules_execution_setfacl/rule.yml | 4 +++-
.../audit_rules_execution_chcon/rule.yml | 3 ++-
.../audit_rules_execution_semanage/rule.yml | 5 +++--
.../audit_rules_execution_setfiles/rule.yml | 5 +++--
.../audit_rules_execution_setsebool/rule.yml | 5 +++--
.../audit_rules_file_deletion_events_rename/rule.yml | 5 +++--
.../audit_rules_file_deletion_events_renameat/rule.yml | 5 +++--
.../audit_rules_file_deletion_events_rmdir/rule.yml | 5 +++--
.../audit_rules_file_deletion_events_unlink/rule.yml | 5 +++--
.../audit_rules_file_deletion_events_unlinkat/rule.yml | 5 +++--
.../rule.yml | 3 ++-
.../rule.yml | 3 ++-
.../rule.yml | 3 ++-
.../rule.yml | 3 ++-
.../rule.yml | 3 ++-
.../rule.yml | 5 +++--
.../audit_rules_kernel_module_loading_delete/rule.yml | 3 ++-
.../audit_rules_kernel_module_loading_finit/rule.yml | 3 ++-
.../audit_rules_kernel_module_loading_init/rule.yml | 3 ++-
.../audit_rules_login_events_lastlog/rule.yml | 4 ++--
.../audit_rules_privileged_commands_chage/rule.yml | 5 +++--
.../audit_rules_privileged_commands_chsh/rule.yml | 5 +++--
.../audit_rules_privileged_commands_crontab/rule.yml | 5 +++--
.../audit_rules_privileged_commands_gpasswd/rule.yml | 5 +++--
.../audit_rules_privileged_commands_kmod/rule.yml | 4 +++-
.../audit_rules_privileged_commands_mount/rule.yml | 1 +
.../audit_rules_privileged_commands_newgrp/rule.yml | 5 +++--
.../rule.yml | 5 +++--
.../audit_rules_privileged_commands_passwd/rule.yml | 5 +++--
.../audit_rules_privileged_commands_postdrop/rule.yml | 5 +++--
.../audit_rules_privileged_commands_postqueue/rule.yml | 5 +++--
.../audit_rules_privileged_commands_ssh_agent/rule.yml | 6 ++++--
.../audit_rules_privileged_commands_ssh_keysign/rule.yml | 5 +++--
.../audit_rules_privileged_commands_su/rule.yml | 5 +++--
.../audit_rules_privileged_commands_sudo/rule.yml | 5 +++--
.../audit_rules_privileged_commands_umount/rule.yml | 1 +
.../audit_rules_privileged_commands_unix_chkpwd/rule.yml | 3 ++-
.../audit_rules_privileged_commands_userhelper/rule.yml | 5 +++--
.../audit_rules_privileged_commands_usermod/rule.yml | 4 +++-
.../auditd_configure_rules/audit_rules_immutable/rule.yml | 2 ++
.../audit_rules_media_export/rule.yml | 5 +++--
.../audit_rules_sysadmin_actions/rule.yml | 2 +-
.../audit_rules_usergroup_modification_group/rule.yml | 4 ++--
.../audit_rules_usergroup_modification_gshadow/rule.yml | 4 ++--
.../audit_rules_usergroup_modification_opasswd/rule.yml | 4 ++--
.../audit_rules_usergroup_modification_passwd/rule.yml | 4 ++--
.../audit_rules_usergroup_modification_shadow/rule.yml | 4 ++--
.../guide/system/auditing/grub2_audit_argument/rule.yml | 2 +-
.../policy_rules/audit_immutable_login_uids/rule.yml | 3 ++-
products/rhel8/profiles/stig.profile | 2 +-
shared/references/cce-redhat-avail.txt | 5 -----
65 files changed, 153 insertions(+), 97 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
index 4cb9bb5cf4..bc3e47523f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030410
stigid@rhel7: RHEL-07-030410
+ stigid@rhel8: RHEL-08-030490
stigid@sle12: SLES-12-020460
stigid@sle15: SLES-15-030290
stigid@ubuntu2004: UBTU-20-010152
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
index cbac49dd12..6b3236cf95 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030370
stigid@rhel7: RHEL-07-030370
+ stigid@rhel8: RHEL-08-030480
stigid@sle12: SLES-12-020420
stigid@sle15: SLES-15-030250
stigid@ubuntu2004: UBTU-20-010148
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index 81f2f067ba..ed4d88cb0c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030420
stigid@rhel7: RHEL-07-030420
+ stigid@rhel8: RHEL-08-030540
stigid@sle12: SLES-12-020470
stigid@sle15: SLES-15-030300
stigid@ubuntu2004: UBTU-20-010153
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index 7fcf1c7ef1..2db3878939 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030430
stigid@rhel7: RHEL-07-030430
+ stigid@rhel8: RHEL-08-030530
stigid@sle12: SLES-12-020480
stigid@sle15: SLES-12-030310
stigid@ubuntu2004: UBTU-20-010154
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index d696862377..37dfb89ef2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -55,9 +55,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030380
stigid@rhel7: RHEL-07-030380
+ stigid@rhel8: RHEL-08-030520
stigid@sle12: SLES-12-020430
stigid@sle15: SLES-15-030260
stigid@ubuntu2004: UBTU-20-010149
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index 0213d78fbc..f75ac769d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030400
stigid@rhel7: RHEL-07-030400
+ stigid@rhel8: RHEL-08-030510
stigid@sle12: SLES-12-020450
stigid@sle15: SLES-15-030280
stigid@ubuntu2004: UBTU-20-010150
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index e1a2492c4c..d46968da8f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -69,9 +69,10 @@ references:
nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030480
stigid@rhel7: RHEL-07-030480
+ stigid@rhel8: RHEL-08-030240
stigid@sle12: SLES-12-020410
stigid@sle15: SLES-15-030210
stigid@ubuntu2004: UBTU-20-010147
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 4c27cbf7fb..564daccaed 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -64,9 +64,10 @@ references:
nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030450
stigid@rhel7: RHEL-07-030450
+ stigid@rhel8: RHEL-08-030230
stigid@sle12: SLES-12-020380
stigid@sle15: SLES-15-030230
stigid@ubuntu2004: UBTU-20-010144
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index 6e2432f309..edc053bfb3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -52,9 +52,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030390
stigid@rhel7: RHEL-07-030390
+ stigid@rhel8: RHEL-08-030500
stigid@sle12: SLES-12-020440
stigid@sle15: SLES-15-030270
stigid@ubuntu2004: UBTU-20-010151
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index ad034bc570..2ae0f11c58 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -69,9 +69,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030490
stigid@rhel7: RHEL-07-030490
+ stigid@rhel8: RHEL-08-030200
stigid@sle12: SLES-12-020400
stigid@sle15: SLES-15-030200
stigid@ubuntu2004: UBTU-20-010146
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index a3895bd4c7..945ad560d7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -63,9 +63,10 @@ references:
nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030460
stigid@rhel7: RHEL-07-030460
+ stigid@rhel8: RHEL-08-030220
stigid@sle15: SLES-15-030240
stigid@ubuntu2004: UBTU-20-010143
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index eee86b99de..e6d7374b7f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -17,7 +17,7 @@ description: |-
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
{{%- if product in ["rhel8"] %}}
- <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+ <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
@@ -68,9 +68,10 @@ references:
nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030470
stigid@rhel7: RHEL-07-030470
+ stigid@rhel8: RHEL-08-030210
stigid@sle12: SLES-12-020390
stigid@sle15: SLES-15-030190
stigid@ubuntu2004: UBTU-20-010145
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 4a90ed9f96..ab15167508 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -64,9 +64,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030440
stigid@rhel7: RHEL-07-030440
+ stigid@rhel8: RHEL-08-030270
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030220
stigid@ubuntu2004: UBTU-20-010142
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 28125b692b..0c71e4ac24 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -27,13 +27,15 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-89446-9
cce@sle12: CCE-83190-9
cce@sle15: CCE-85595-7
references:
disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
+ stigid@rhel8: RHEL-08-030570
stigid@sle12: SLES-12-020620
stigid@sle15: SLES-15-030440
stigid@ubuntu2004: UBTU-20-010168
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index 43fe86106c..89c134a0fa 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -27,13 +27,15 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-88437-9
cce@sle12: CCE-83189-1
cce@sle15: CCE-85594-0
references:
disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ stigid@rhel8: RHEL-08-030330
stigid@sle12: SLES-12-020610
stigid@sle15: SLES-15-030430
stigid@ubuntu2004: UBTU-20-010167
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
index b50e27b810..0c6781c7d5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
@@ -60,9 +60,10 @@ references:
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii)AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
stigid@ol7: OL07-00-030580
stigid@rhel7: RHEL-07-030580
+ stigid@rhel8: RHEL-08-030260
stigid@sle12: SLES-12-020630
stigid@sle15: SLES-15-030450
stigid@ubuntu2004: UBTU-20-010165
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
index 2ad3b555b5..b609c3dfc2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -40,7 +40,7 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -49,9 +49,10 @@ references:
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
stigid@ol7: OL07-00-030560
stigid@rhel7: RHEL-07-030560
+ stigid@rhel8: RHEL-08-030313
vmmsrg: SRG-OS-000463-VMM-001850
ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
index eb8bd19edb..9de7407f4c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -37,11 +37,12 @@ identifiers:
cce@rhel9: CCE-83736-9
references:
- disa: CCI-000172,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-002884
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
stigid@ol7: OL07-00-030590
stigid@rhel7: RHEL-07-030590
+ stigid@rhel8: RHEL-08-030314
vmmsrg: SRG-OS-000463-VMM-001850
ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
index 5544175f39..23504bab4a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -40,7 +40,7 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -48,9 +48,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
stigid@ol7: OL07-00-030570
stigid@rhel7: RHEL-07-030570
+ stigid@rhel8: RHEL-08-030316
vmmsrg: SRG-OS-000463-VMM-001850
ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
index fe72f59697..9dd83f6dba 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
@@ -37,7 +37,7 @@ references:
cis@ubuntu2004: 4.1.13
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-000366,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030880
stigid@rhel7: RHEL-07-030880
+ stigid@rhel8: RHEL-08-030361
stigid@ubuntu2004: UBTU-20-010269
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
index 3508352514..cd9aa9f5e6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -37,7 +37,7 @@ references:
cis@ubuntu2004: 4.1.13
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-000366,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030890
stigid@rhel7: RHEL-07-030890
+ stigid@rhel8: RHEL-08-030362
stigid@ubuntu2004: UBTU-20-010270
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
index 994cf0e087..6e0bb755b0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
@@ -36,7 +36,7 @@ references:
cis@rhel8: 4.1.14
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-000366,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -45,9 +45,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030900
stigid@rhel7: RHEL-07-030900
+ stigid@rhel8: RHEL-08-030363
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
{{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
index 330221f9c6..be4e328b7c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
@@ -37,7 +37,7 @@ references:
cis@ubuntu2004: 4.1.13
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-000366,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030910
stigid@rhel7: RHEL-07-030910
+ stigid@rhel8: RHEL-08-030364
stigid@ubuntu2004: UBTU-20-010267
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
index 14ef50bb2b..eaf8f1e08b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
@@ -37,7 +37,7 @@ references:
cis@ubuntu2004: 4.1.13
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-000366,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030920
stigid@rhel7: RHEL-07-030920
+ stigid@rhel8: RHEL-08-030365
stigid@ubuntu2004: UBTU-20-010268
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index d793c73d87..08cc99133a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -57,9 +57,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030500
stigid@rhel7: RHEL-07-030500
+ stigid@rhel8: RHEL-08-030470
stigid@sle12: SLES-12-020520
stigid@sle15: SLES-15-030160
stigid@ubuntu2004: UBTU-20-010158
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index e8990ac8c0..e9b688b9b4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -60,9 +60,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030550
stigid@rhel7: RHEL-07-030550
+ stigid@rhel8: RHEL-08-030460
stigid@sle12: SLES-12-020510
stigid@sle15: SLES-15-030320
stigid@ubuntu2004: UBTU-20-010157
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 8324307284..6e24227007 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -60,9 +60,10 @@ references:
nist@sle15: AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030510
stigid@rhel7: RHEL-07-030510
+ stigid@rhel8: RHEL-08-030440
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150
stigid@ubuntu2004: UBTU-20-010155
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index f83c285dd2..2b6008fce1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -56,9 +56,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030530
stigid@rhel7: RHEL-07-030530
+ stigid@rhel8: RHEL-08-030450
stigid@sle12: SLES-12-020540
stigid@sle15: SLES-15-030180
stigid@ubuntu2004: UBTU-20-010160
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index 15311727d6..308e3da789 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -60,9 +60,10 @@ references:
nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030520
stigid@rhel7: RHEL-07-030520
+ stigid@rhel8: RHEL-08-030430
stigid@sle12: SLES-12-020530
stigid@sle15: SLES-15-030170
stigid@ubuntu2004: UBTU-20-010159
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
index 5d8e55087d..6ab8d28917 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -50,7 +50,7 @@ references:
cis@ubuntu2004: 4.1.10
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000172,CCI-002884
+ disa: CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -59,9 +59,10 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.4,Req-10.2.1
- srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030540
stigid@rhel7: RHEL-07-030540
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020500
stigid@sle15: SLES-15-030610
stigid@ubuntu2004: UBTU-20-010156
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
index 48d0b501a3..052d21b4f0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -48,9 +48,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
stigid@ol7: OL07-00-030830
stigid@rhel7: RHEL-07-030830
+ stigid@rhel8: RHEL-08-030390
stigid@sle12: SLES-12-020730
stigid@sle15: SLES-15-030520
stigid@ubuntu2004: UBTU-20-010302
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index 1457d423bf..aa17002321 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -47,9 +47,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
stigid@ol7: OL07-00-030821
stigid@rhel7: RHEL-07-030821
+ stigid@rhel8: RHEL-08-030380
stigid@sle12: SLES-12-020740
stigid@sle15: SLES-15-030530
stigid@ubuntu2004: UBTU-20-010180
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
index 53b9accfd8..1d8260432e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -47,9 +47,10 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.7
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
stigid@ol7: OL07-00-030820
stigid@rhel7: RHEL-07-030820
+ stigid@rhel8: RHEL-08-030360
stigid@sle12: SLES-12-020750
stigid@sle15: SLES-15-030540
stigid@ubuntu2004: UBTU-20-010179
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
index f981f0143c..25f578b1f6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -39,7 +39,7 @@ references:
cis@ubuntu2004: 4.1.7
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000126,CCI-000172,CCI-002884
+ disa: CCI-000126,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -48,7 +48,7 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.3
- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214
stigid@ol7: OL07-00-030620
stigid@rhel7: RHEL-07-030620
stigid@rhel8: RHEL-08-030600
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
index 426f1debed..474910c4c8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
@@ -43,7 +43,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030660
stigid@rhel7: RHEL-07-030660
+ stigid@rhel8: RHEL-08-030250
stigid@sle12: SLES-12-020690
stigid@sle15: SLES-15-030120
stigid@ubuntu2004: UBTU-20-010175
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
index a31dd7eddb..3ca968a543 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
@@ -43,7 +43,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030720
stigid@rhel7: RHEL-07-030720
+ stigid@rhel8: RHEL-08-030410
stigid@sle12: SLES-12-020580
stigid@sle15: SLES-15-030100
stigid@ubuntu2004: UBTU-20-010163
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index 6146418c75..7c5058c7f8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -43,16 +43,17 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030800
stigid@rhel7: RHEL-07-030800
+ stigid@rhel8: RHEL-08-030400
stigid@sle12: SLES-12-020710
stigid@sle15: SLES-15-030130
stigid@ubuntu2004: UBTU-20-010177
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
index a9f782bb64..0c7bf84268 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
@@ -43,7 +43,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030650
stigid@rhel7: RHEL-07-030650
+ stigid@rhel8: RHEL-08-030370
stigid@sle12: SLES-12-020560
stigid@sle15: SLES-15-030080
stigid@ubuntu2004: UBTU-20-010174
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index 168d5c51fc..851dd5aa3d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -28,13 +28,15 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-89455-0
cce@sle12: CCE-83207-1
cce@sle15: CCE-85591-6
references:
disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a)
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+ stigid@rhel8: RHEL-08-030580
stigid@sle12: SLES-12-020360
stigid@sle15: SLES-15-030410
stigid@ubuntu2004: UBTU-20-010297
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
index 01c7a7ea92..cc423c4146 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -46,6 +46,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030740
stigid@rhel7: RHEL-07-030740
+ stigid@rhel8: RHEL-08-030300
stigid@sle12: SLES-12-020290
stigid@sle15: SLES-15-030350
stigid@ubuntu2004: UBTU-20-010138
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
index 53ee78dc10..edbb41f3d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
@@ -43,7 +43,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000130,CCI-000169,CCI-000135,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030710
stigid@rhel7: RHEL-07-030710
+ stigid@rhel8: RHEL-08-030350
stigid@sle12: SLES-12-020570
stigid@sle15: SLES-15-030090
stigid@ubuntu2004: UBTU-20-010164
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index 5753e20e9e..f5a3a4be02 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -50,16 +50,17 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030810
stigid@rhel7: RHEL-07-030810
+ stigid@rhel8: RHEL-08-030340
stigid@sle12: SLES-12-020720
stigid@sle15: SLES-15-030510
stigid@ubuntu2004: UBTU-20-010178
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 6792cad002..06b5cfc4ae 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -42,7 +42,7 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030630
stigid@rhel7: RHEL-07-030630
+ stigid@rhel8: RHEL-08-030280
stigid@sle12: SLES-12-020550
stigid@sle15: SLES-15-030070
stigid@ubuntu2004: UBTU-20-010172
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
index 4080c66b8d..8f90c9c211 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
@@ -41,16 +41,17 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030760
stigid@rhel7: RHEL-07-030760
+ stigid@rhel8: RHEL-08-030311
vmmsrg: SRG-OS-000471-VMM-001910
ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
index 96308029f9..e913e83a0b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
@@ -41,16 +41,17 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030770
stigid@rhel7: RHEL-07-030770
+ stigid@rhel8: RHEL-08-030312
vmmsrg: SRG-OS-000471-VMM-001910
ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
index b9f68d0712..f2ebca4550 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
@@ -28,14 +28,16 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-85944-7
cce@sle12: CCE-83199-0
cce@sle15: CCE-85590-8
references:
cis@ubuntu2004: 4.1.11
- disa: CCI-000130,CCI-000172
+ disa: CCI-000130,CCI-000169,CCI-000172
nist@sle12: AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ stigid@rhel8: RHEL-08-030280
stigid@sle12: SLES-12-020310
stigid@sle15: SLES-15-030370
stigid@ubuntu2004: UBTU-20-010140
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 8a042f7def..1bec9be61b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -47,7 +47,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -55,9 +55,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030780
stigid@rhel7: RHEL-07-030780
+ stigid@rhel8: RHEL-08-030320
stigid@sle12: SLES-12-020320
stigid@sle15: SLES-15-030060
stigid@ubuntu2004: UBTU-20-010141
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index fce851d8e4..99e09ab4e3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -43,7 +43,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
stigid@ol7: OL07-00-030680
stigid@rhel7: RHEL-07-030680
+ stigid@rhel8: RHEL-08-030190
stigid@sle12: SLES-12-020250
stigid@sle15: SLES-15-030550
stigid@ubuntu2004: UBTU-20-010136
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index 50f72b7d89..aac859c4b1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -44,7 +44,7 @@ references:
cis@ubuntu2004: 4.1.11
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
stigid@ol7: OL07-00-030690
stigid@rhel7: RHEL-07-030690
+ stigid@rhel8: RHEL-08-030550
stigid@sle12: SLES-12-020260
stigid@sle15: SLES-15-030560
stigid@ubuntu2004: UBTU-20-010161
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index 28fda0e782..061b5c28a7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -54,6 +54,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030750
stigid@rhel7: RHEL-07-030750
+ stigid@rhel8: RHEL-08-030301
stigid@sle12: SLES-12-020300
stigid@sle15: SLES-15-030360
stigid@ubuntu2004: UBTU-20-010139
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index f78b1972be..41a6123f5b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -52,9 +52,10 @@ references:
nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030640
stigid@rhel7: RHEL-07-030640
+ stigid@rhel8: RHEL-08-030317
stigid@sle12: SLES-12-020680
stigid@sle15: SLES-15-030110
vmmsrg: SRG-OS-000471-VMM-001910
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
index 13bddb000a..de8bab633a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
@@ -40,7 +40,7 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-000172,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -48,9 +48,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030670
stigid@rhel7: RHEL-07-030670
+ stigid@rhel8: RHEL-08-030315
vmmsrg: SRG-OS-000471-VMM-001910
ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index b4c8a8f2cb..288d3c3bf2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -39,13 +39,15 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-86027-0
cce@sle12: CCE-83191-7
cce@sle15: CCE-85600-5
references:
disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
- srg: SRG-OS-000037-GPOS-00015
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
+ stigid@rhel8: RHEL-08-030560
stigid@sle12: SLES-12-020700
stigid@sle15: SLES-15-030500
stigid@ubuntu2004: UBTU-20-010176
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
index 6aab91b6d5..6818e5c7b8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
@@ -39,6 +39,7 @@ references:
cjis: 5.4.1.1
cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.3.1,3.4.3
+ disa: CCI-000162
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
@@ -46,4 +47,5 @@ references:
nist: AC-6(9),CM-6(a)
nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
pcidss: Req-10.5.2
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
stigid@rhel8: RHEL-08-030121
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
index 7dd945ae83..298aec87f3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
@@ -38,7 +38,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000135,CCI-002884
+ disa: CCI-000135,CCI-000169,CCI-002884
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
pcidss: Req-10.2.7
- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030740
stigid@rhel7: RHEL-07-030740
+ stigid@rhel8: RHEL-08-030302
stigid@sle12: SLES-12-020290
ocil_clause: 'there is no output'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
index 52c7bd2aef..12bca676d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -47,7 +47,7 @@ references:
nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.2,Req-10.2.5.b
- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
stigid@ol7: OL07-00-030700
stigid@rhel7: RHEL-07-030700
stigid@rhel8: RHEL-08-030172
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
index a91d14e967..11c8f823c3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -43,7 +43,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.5
- srg: SRG-OS-000004-GPOS-00004
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
stigid@ol7: OL07-00-030871
stigid@rhel7: RHEL-07-030871
stigid@rhel8: RHEL-08-030170
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
index 90b98863c1..8ccf265de6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
@@ -43,7 +43,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.5
- srg: SRG-OS-000004-GPOS-00004
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
stigid@ol7: OL07-00-030872
stigid@rhel7: RHEL-07-030872
stigid@rhel8: RHEL-08-030160
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
index 05e12170e4..b8e99f216a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -43,7 +43,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -54,7 +54,7 @@ references:
nist@sle15: AC-2(4).1(i&ii),AU-12.1(iv)
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.5
- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000463-GPOS-00207,SRG-OS-000476-GPOS-00221
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207
stigid@ol7: OL07-00-030874
stigid@rhel7: RHEL-07-030874
stigid@rhel8: RHEL-08-030140
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
index 88ef5606a7..aae128fee9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -43,7 +43,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.5
- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107
stigid@ol7: OL07-00-030870
stigid@rhel7: RHEL-07-030870
stigid@rhel8: RHEL-08-030150
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
index 6d084343c9..d6cede0d34 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -43,7 +43,7 @@ references:
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.5
- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
stigid@ol7: OL07-00-030873
stigid@rhel7: RHEL-07-030873
stigid@rhel8: RHEL-08-030130
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index f1b2bb78fb..733172861a 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -46,7 +46,7 @@ references:
nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1)
nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
pcidss: Req-10.3
- srg: SRG-OS-000254-GPOS-00095,SRG-OS-000062-GPOS-00031
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095
stigid@rhel8: RHEL-08-030601
stigid@ubuntu2004: UBTU-20-010198
vmmsrg: SRG-OS-000254-VMM-000880
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index aa22da90c3..261dc1849e 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -35,9 +35,10 @@ identifiers:
cce@rhel9: CCE-83673-4
references:
+ disa: CCI-000162
nist: AU-2(a)
ospp: FAU_GEN.1.1.c
- srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
stigid@rhel8: RHEL-08-030122
ocil_clause: 'the file does not exist or the content differs'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 3cbb4796ac..469c7dff5e 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -846,7 +846,7 @@ selections:
# RHEL-08-030590
# This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
- # implemented as it is the one that configures a different patch for the events of failing locks
+ # implemented as it is the one that configures a different path for the events of failing locks
# - audit_rules_login_events_faillock
# RHEL-08-030600
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1d54e8ec15..dcb1e675bd 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -74,7 +74,6 @@ CCE-85940-5
CCE-85941-3
CCE-85942-1
CCE-85943-9
-CCE-85944-7
CCE-85945-4
CCE-85946-2
CCE-85947-0
@@ -154,7 +153,6 @@ CCE-86023-9
CCE-86024-7
CCE-86025-4
CCE-86026-2
-CCE-86027-0
CCE-86028-8
CCE-86029-6
CCE-86030-4
@@ -2522,7 +2520,6 @@ CCE-88433-8
CCE-88434-6
CCE-88435-3
CCE-88436-1
-CCE-88437-9
CCE-88438-7
CCE-88439-5
CCE-88440-3
@@ -3515,7 +3512,6 @@ CCE-89442-8
CCE-89443-6
CCE-89444-4
CCE-89445-1
-CCE-89446-9
CCE-89447-7
CCE-89448-5
CCE-89449-3
@@ -3524,7 +3520,6 @@ CCE-89451-9
CCE-89452-7
CCE-89453-5
CCE-89454-3
-CCE-89455-0
CCE-89456-8
CCE-89457-6
CCE-89458-4
From 1e6b51ceb3e8fb9e6406b5f0ba925120e19e719d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 11:44:57 +0200
Subject: [PATCH 12/21] Define template data using product qualifiers instead
of macros.
---
.../audit_rules_privileged_commands_ssh_keysign/rule.yml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 1bec9be61b..5c39013572 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -75,4 +75,6 @@ ocil: |-
template:
name: audit_rules_privileged_commands
vars:
- path: {{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign{{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
+ path: /usr/libexec/openssh/ssh-keysign
+ path@sle12: /usr/lib/ssh/ssh-keysign
+ path@sle15: /usr/lib/ssh/ssh-keysign
From f8478dea74e99affff3f3b7b62d91ac509d71a8c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 12:01:18 +0200
Subject: [PATCH 13/21] Add new STIG audit rule
audit_rules_privileged_commands_unix_update.
---
.../rule.yml | 53 +++++++++++++++++++
.../tests/ocp4/e2e.yml | 3 ++
products/rhel8/profiles/stig.profile | 2 +-
shared/references/cce-redhat-avail.txt | 2 -
4 files changed, 57 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
new file mode 100644
index 0000000000..7ef800da19
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_update'
+
+description: |-
+ At a minimum, the audit system should collect the execution of
+ privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+ configured to use the <tt>augenrules</tt> program to read audit rules during
+ daemon startup (the default), add a line of the following form to a file with
+ suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+ <pre>-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+ utility to read audit rules during daemon startup, add a line of the following
+ form to <tt>/etc/audit/audit.rules</tt>:
+ <pre>-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+
+rationale: |-
+ Misuse of privileged functions, either intentionally or unintentionally by
+ authorized users, or by unauthorized external entities that have compromised system accounts,
+ is a serious and ongoing concern and can have significant adverse impacts on organizations.
+ Auditing the use of privileged functions is one way to detect such misuse and identify
+ the risk from insider and advanced persistent threats.
+ <br /><br />
+ Privileged programs are subject to escalation-of-privilege attacks,
+ which attempt to subvert their normal role of providing some necessary but
+ limited capability. As such, motivation exists to monitor these programs for
+ unusual activity.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-89480-8
+ cce@rhel9: CCE-89481-6
+
+references:
+ disa: CCI-000169
+ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+ stigid@rhel8: RHEL-08-030310
+
+ocil_clause: 'it is not the case'
+
+ocil: |-
+ To verify that auditing of privileged command use is configured, run the
+ following command:
+ <pre>$ sudo grep unix_update /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
+ It should return a relevant line in the audit rules.
+
+template:
+ name: audit_rules_privileged_commands
+ vars:
+ path: /usr/sbin/unix_update
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml
new file mode 100644
index 0000000000..fd9b313e87
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 469c7dff5e..2cece6a130 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -725,7 +725,7 @@ selections:
- audit_rules_media_export
# RHEL-08-030310
- # missing rule
+ - audit_rules_privileged_commands_unix_update
# RHEL-08-030311
- audit_rules_privileged_commands_postdrop
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index dcb1e675bd..ac98344c73 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3544,8 +3544,6 @@ CCE-89476-6
CCE-89477-4
CCE-89478-2
CCE-89479-0
-CCE-89480-8
-CCE-89481-6
CCE-89482-4
CCE-89483-2
CCE-89484-0
From 1216eda0621bedfd60f189bbfd60e79f3b6f5411 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 12:30:11 +0200
Subject: [PATCH 14/21] Add two new rules to cover STIG req based on existing
rule.
The rule used as basis is audit_rules_sysadmin_actions. This rules is
used by many profiles and it didn't make sense to change its behavior,
so two new rules were created to be used only by RHEL8 STIG.
---
.../audit_rules_sudoers/ansible/shared.yml | 39 +++++++++++++++++++
.../audit_rules_sudoers/bash/shared.sh | 8 ++++
.../audit_rules_sudoers/oval/shared.xml | 34 ++++++++++++++++
.../audit_rules_sudoers/rule.yml | 39 +++++++++++++++++++
.../audit_rules_sudoers/tests/correct.pass.sh | 3 ++
.../audit_rules_sudoers/tests/empty.fail.sh | 4 ++
.../tests/wrong_value.fail.sh | 4 ++
.../audit_rules_sudoers_d/ansible/shared.yml | 39 +++++++++++++++++++
.../audit_rules_sudoers_d/bash/shared.sh | 8 ++++
.../audit_rules_sudoers_d/oval/shared.xml | 34 ++++++++++++++++
.../audit_rules_sudoers_d/rule.yml | 39 +++++++++++++++++++
.../tests/correct.pass.sh | 3 ++
.../audit_rules_sudoers_d/tests/empty.fail.sh | 4 ++
.../tests/missing_slash.fail.sh | 4 ++
products/rhel8/profiles/stig.profile | 5 +--
shared/references/cce-redhat-avail.txt | 4 --
16 files changed, 264 insertions(+), 7 deletions(-)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
new file mode 100644
index 0000000000..12324a9f76
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
@@ -0,0 +1,39 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Inserts/replaces the rule in /etc/audit/rules.d
+
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
+ find:
+ paths: "/etc/audit/rules.d"
+ recurse: no
+ contains: '^.*/etc/sudoers\s.*$'
+ patterns: "*.rules"
+ register: find_audit_sysadmin_actions
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+ set_fact:
+ all_sysadmin_actions_files:
+ - /etc/audit/rules.d/actions.rules
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_sysadmin_actions_files:
+ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
+
+- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d
+ lineinfile:
+ path: "{{ all_sysadmin_actions_files[0] }}"
+ line: '-w /etc/sudoers -p wa -k actions'
+ create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules
+ lineinfile:
+ path: /etc/audit/audit.rules
+ line: '-w /etc/sudoers -p wa -k actions'
+ create: yes
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
new file mode 100644
index 0000000000..a1392449b0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
+fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
new file mode 100644
index 0000000000..96d1a91c1e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="audit_rules_sudoers" version="1">
+ {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.") }}}
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+ <criterion comment="audit augenrules sudoers" test_ref="test_audit_rules_sudoers_augenrules" />
+ </criteria>
+ <criteria operator="AND">
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+ <criterion comment="audit auditctl sudoers" test_ref="test_audit_rules_sudoers_auditctl" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sudoers_augenrules" version="1">
+ <ind:object object_ref="object_audit_rules_sudoers_augenrules" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_audit_rules_sudoers_augenrules" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sudoers_auditctl" version="1">
+ <ind:object object_ref="object_audit_rules_sudoers_auditctl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_audit_rules_sudoers_auditctl" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
new file mode 100644
index 0000000000..f39bfa7e72
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers'
+
+description: |-
+ At a minimum, the audit system should collect administrator actions
+ for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+ <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
+ add the following line to a file with suffix <tt>.rules</tt> in the directory
+ <tt>/etc/audit/rules.d</tt>:
+ <pre>-w /etc/sudoers -p wa -k actions</pre>
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+ utility to read audit rules during daemon startup, add the following line to
+ <tt>/etc/audit/audit.rules</tt> file:
+ <pre>-w /etc/sudoers -p wa -k actions</pre>
+
+rationale: |-
+ The actions taken by system administrators should be audited to keep a record
+ of what was executed on the system, as well as, for accountability purposes.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-90175-1
+ cce@rhel9: CCE-90176-9
+
+references:
+ disa: CCI-000169
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
+ stigid@rhel8: RHEL-08-030171
+
+ocil_clause: 'there is not output'
+
+ocil: |-
+ To verify that auditing is configured for system administrator actions, run the following command:
+ <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers\|-w /etc/sudoers\"</pre>
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
new file mode 100644
index 0000000000..27ff10cb23
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
new file mode 100644
index 0000000000..2776dabaa1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /etc/audit/rules.d/
+mkdir -p /etc/audit/rules.d/
+touch /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..3d30475363
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudo -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
new file mode 100644
index 0000000000..89e028ac2d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
@@ -0,0 +1,39 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Inserts/replaces the rule in /etc/audit/rules.d
+
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
+ find:
+ paths: "/etc/audit/rules.d"
+ recurse: no
+ contains: '^.*/etc/sudoers\.d/\s.*$'
+ patterns: "*.rules"
+ register: find_audit_sysadmin_actions
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+ set_fact:
+ all_sysadmin_actions_files:
+ - /etc/audit/rules.d/actions.rules
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_sysadmin_actions_files:
+ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d/ rule in rules.d
+ lineinfile:
+ path: "{{ all_sysadmin_actions_files[0] }}"
+ line: '-w /etc/sudoers.d/ -p wa -k actions'
+ create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d/ in audit.rules
+ lineinfile:
+ path: /etc/audit/audit.rules
+ line: '-w /etc/sudoers.d/ -p wa -k actions'
+ create: yes
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
new file mode 100644
index 0000000000..9a6292d21d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions"
+fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
new file mode 100644
index 0000000000..c171851647
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="audit_rules_sudoers_d" version="1">
+ {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}}
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+ <criterion comment="audit augenrules sudoers_d" test_ref="test_audit_rules_sudoers_d_augenrules" />
+ </criteria>
+ <criteria operator="AND">
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+ <criterion comment="audit auditctl sudoers_d" test_ref="test_audit_rules_sudoers_d_auditctl" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sudoers_d_augenrules" version="1">
+ <ind:object object_ref="object_audit_rules_sudoers_d_augenrules" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_audit_rules_sudoers_d_augenrules" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sudoers_d_auditctl" version="1">
+ <ind:object object_ref="object_audit_rules_sudoers_d_auditctl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_audit_rules_sudoers_d_auditctl" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
new file mode 100644
index 0000000000..d4a35a7996
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/'
+
+description: |-
+ At a minimum, the audit system should collect administrator actions
+ for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+ <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
+ add the following line to a file with suffix <tt>.rules</tt> in the directory
+ <tt>/etc/audit/rules.d</tt>:
+ <pre>-w /etc/sudoers.d/ -p wa -k actions</pre>
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+ utility to read audit rules during daemon startup, add the following line to
+ <tt>/etc/audit/audit.rules</tt> file:
+ <pre>-w /etc/sudoers.d/ -p wa -k actions</pre>
+
+rationale: |-
+ The actions taken by system administrators should be audited to keep a record
+ of what was executed on the system, as well as, for accountability purposes.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-89497-2
+ cce@rhel9: CCE-89498-0
+
+references:
+ disa: CCI-000169
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
+ stigid@rhel8: RHEL-08-030172
+
+ocil_clause: 'there is not output'
+
+ocil: |-
+ To verify that auditing is configured for system administrator actions, run the following command:
+ <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers.d\|-w /etc/sudoers.d"</pre>
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
new file mode 100644
index 0000000000..a1259a6e66
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
new file mode 100644
index 0000000000..2776dabaa1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /etc/audit/rules.d/
+mkdir -p /etc/audit/rules.d/
+touch /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh
new file mode 100644
index 0000000000..dd96b1ec10
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 2cece6a130..965068a691 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -673,11 +673,10 @@ selections:
- audit_rules_usergroup_modification_group
# RHEL-08-030171
- # should be split
- # - audit_rules_sysadmin_actions
+ - audit_rules_sudoers
# RHEL-08-030172
- - audit_rules_sysadmin_actions
+ - audit_rules_sudoers_d
# RHEL-08-030180
- package_audit_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ac98344c73..001262c6ee 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3559,8 +3559,6 @@ CCE-89493-1
CCE-89494-9
CCE-89495-6
CCE-89496-4
-CCE-89497-2
-CCE-89498-0
CCE-89499-8
CCE-89500-3
CCE-89501-1
@@ -4228,8 +4226,6 @@ CCE-90170-2
CCE-90172-8
CCE-90173-6
CCE-90174-4
-CCE-90175-1
-CCE-90176-9
CCE-90177-7
CCE-90178-5
CCE-90179-3
From 2db69d93f8616c9d39897a44994ccdfc30fafb65 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 16:15:14 +0200
Subject: [PATCH 15/21] Update RHEL8 STIG profiles stability test data.
---
.../data/profile_stability/rhel8/stig.profile | 64 +++++++++++++++++++
.../profile_stability/rhel8/stig_gui.profile | 64 +++++++++++++++++++
2 files changed, 128 insertions(+)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index fcae79f6d8..d7e2f71376 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -66,7 +66,71 @@ selections:
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
+- audit_immutable_login_uids
+- audit_rules_dac_modification_chmod
+- audit_rules_dac_modification_chown
+- audit_rules_dac_modification_fchmod
+- audit_rules_dac_modification_fchmodat
+- audit_rules_dac_modification_fchown
+- audit_rules_dac_modification_fchownat
+- audit_rules_dac_modification_fremovexattr
+- audit_rules_dac_modification_fsetxattr
+- audit_rules_dac_modification_lchown
+- audit_rules_dac_modification_lremovexattr
+- audit_rules_dac_modification_lsetxattr
+- audit_rules_dac_modification_removexattr
+- audit_rules_dac_modification_setxattr
+- audit_rules_execution_chacl
+- audit_rules_execution_chcon
+- audit_rules_execution_semanage
+- audit_rules_execution_setfacl
+- audit_rules_execution_setfiles
+- audit_rules_execution_setsebool
+- audit_rules_file_deletion_events_rename
+- audit_rules_file_deletion_events_renameat
+- audit_rules_file_deletion_events_rmdir
+- audit_rules_file_deletion_events_unlink
+- audit_rules_file_deletion_events_unlinkat
+- audit_rules_immutable
+- audit_rules_kernel_module_loading_delete
+- audit_rules_kernel_module_loading_finit
+- audit_rules_kernel_module_loading_init
+- audit_rules_login_events_lastlog
+- audit_rules_media_export
+- audit_rules_privileged_commands_chage
+- audit_rules_privileged_commands_chsh
+- audit_rules_privileged_commands_crontab
+- audit_rules_privileged_commands_gpasswd
+- audit_rules_privileged_commands_kmod
+- audit_rules_privileged_commands_mount
+- audit_rules_privileged_commands_newgrp
+- audit_rules_privileged_commands_pam_timestamp_check
+- audit_rules_privileged_commands_passwd
+- audit_rules_privileged_commands_postdrop
+- audit_rules_privileged_commands_postqueue
+- audit_rules_privileged_commands_ssh_agent
+- audit_rules_privileged_commands_ssh_keysign
+- audit_rules_privileged_commands_su
+- audit_rules_privileged_commands_sudo
+- audit_rules_privileged_commands_umount
+- audit_rules_privileged_commands_unix_chkpwd
+- audit_rules_privileged_commands_unix_update
+- audit_rules_privileged_commands_userhelper
+- audit_rules_privileged_commands_usermod
+- audit_rules_sudoers
+- audit_rules_sudoers_d
- audit_rules_suid_privilege_function
+- audit_rules_unsuccessful_file_modification_creat
+- audit_rules_unsuccessful_file_modification_ftruncate
+- audit_rules_unsuccessful_file_modification_open
+- audit_rules_unsuccessful_file_modification_open_by_handle_at
+- audit_rules_unsuccessful_file_modification_openat
+- audit_rules_unsuccessful_file_modification_truncate
+- audit_rules_usergroup_modification_group
+- audit_rules_usergroup_modification_gshadow
+- audit_rules_usergroup_modification_opasswd
+- audit_rules_usergroup_modification_passwd
+- audit_rules_usergroup_modification_shadow
- auditd_audispd_configure_sufficiently_large_partition
- auditd_data_disk_error_action
- auditd_data_disk_full_action
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2bbd1881f5..7c95e31545 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -77,7 +77,71 @@ selections:
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
+- audit_immutable_login_uids
+- audit_rules_dac_modification_chmod
+- audit_rules_dac_modification_chown
+- audit_rules_dac_modification_fchmod
+- audit_rules_dac_modification_fchmodat
+- audit_rules_dac_modification_fchown
+- audit_rules_dac_modification_fchownat
+- audit_rules_dac_modification_fremovexattr
+- audit_rules_dac_modification_fsetxattr
+- audit_rules_dac_modification_lchown
+- audit_rules_dac_modification_lremovexattr
+- audit_rules_dac_modification_lsetxattr
+- audit_rules_dac_modification_removexattr
+- audit_rules_dac_modification_setxattr
+- audit_rules_execution_chacl
+- audit_rules_execution_chcon
+- audit_rules_execution_semanage
+- audit_rules_execution_setfacl
+- audit_rules_execution_setfiles
+- audit_rules_execution_setsebool
+- audit_rules_file_deletion_events_rename
+- audit_rules_file_deletion_events_renameat
+- audit_rules_file_deletion_events_rmdir
+- audit_rules_file_deletion_events_unlink
+- audit_rules_file_deletion_events_unlinkat
+- audit_rules_immutable
+- audit_rules_kernel_module_loading_delete
+- audit_rules_kernel_module_loading_finit
+- audit_rules_kernel_module_loading_init
+- audit_rules_login_events_lastlog
+- audit_rules_media_export
+- audit_rules_privileged_commands_chage
+- audit_rules_privileged_commands_chsh
+- audit_rules_privileged_commands_crontab
+- audit_rules_privileged_commands_gpasswd
+- audit_rules_privileged_commands_kmod
+- audit_rules_privileged_commands_mount
+- audit_rules_privileged_commands_newgrp
+- audit_rules_privileged_commands_pam_timestamp_check
+- audit_rules_privileged_commands_passwd
+- audit_rules_privileged_commands_postdrop
+- audit_rules_privileged_commands_postqueue
+- audit_rules_privileged_commands_ssh_agent
+- audit_rules_privileged_commands_ssh_keysign
+- audit_rules_privileged_commands_su
+- audit_rules_privileged_commands_sudo
+- audit_rules_privileged_commands_umount
+- audit_rules_privileged_commands_unix_chkpwd
+- audit_rules_privileged_commands_unix_update
+- audit_rules_privileged_commands_userhelper
+- audit_rules_privileged_commands_usermod
+- audit_rules_sudoers
+- audit_rules_sudoers_d
- audit_rules_suid_privilege_function
+- audit_rules_unsuccessful_file_modification_creat
+- audit_rules_unsuccessful_file_modification_ftruncate
+- audit_rules_unsuccessful_file_modification_open
+- audit_rules_unsuccessful_file_modification_open_by_handle_at
+- audit_rules_unsuccessful_file_modification_openat
+- audit_rules_unsuccessful_file_modification_truncate
+- audit_rules_usergroup_modification_group
+- audit_rules_usergroup_modification_gshadow
+- audit_rules_usergroup_modification_opasswd
+- audit_rules_usergroup_modification_passwd
+- audit_rules_usergroup_modification_shadow
- auditd_audispd_configure_sufficiently_large_partition
- auditd_data_disk_error_action
- auditd_data_disk_full_action
From 67d07b479750430ce78aa6f5b9326901ec4bc532 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 14:32:46 +0200
Subject: [PATCH 16/21] Fix RHEL8 STIG id of
audit_rules_privileged_commands_passwd.
---
.../audit_rules_privileged_commands_passwd/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 06b5cfc4ae..60660a1314 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -54,7 +54,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol7: OL07-00-030630
stigid@rhel7: RHEL-07-030630
- stigid@rhel8: RHEL-08-030280
+ stigid@rhel8: RHEL-08-030290
stigid@sle12: SLES-12-020550
stigid@sle15: SLES-15-030070
stigid@ubuntu2004: UBTU-20-010172
From 9e11cb68aa68ec7d8dde7a9f5d9298bd3c74f9cb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:49:08 +0200
Subject: [PATCH 17/21] Update audit rules description with regards to -F
perm=x parameter.
---
.../audit_rules_execution_chacl/rule.yml | 6 ++---
.../audit_rules_execution_setfacl/rule.yml | 6 ++---
.../audit_rules_execution_chcon/rule.yml | 22 ++++++-------------
.../audit_rules_execution_semanage/rule.yml | 10 ++++++---
.../audit_rules_execution_setfiles/rule.yml | 10 ++++++---
.../audit_rules_execution_setsebool/rule.yml | 10 ++++++---
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 15 ++++++++++---
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 17 +++++++++-----
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 18 ++++++++++-----
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 8 +++++--
.../rule.yml | 13 +----------
.../ansible.template | 2 +-
.../bash.template | 2 +-
.../oval.template | 2 +-
27 files changed, 157 insertions(+), 88 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 0c71e4ac24..735817e4f0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -42,10 +42,10 @@ references:
ocil: |-
To verify that execution of the command is being audited, run the following command:
- Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command.
+ Configure the operating system to generate an audit record for all uses of the "chacl" command.
Add or update the following rules in the "/etc/audit/audit.rules" file:
- -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
- -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
+ -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
The audit daemon must be restarted for the changes to take effect.
# sudo systemctl restart auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index 89c134a0fa..341790d7dd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -42,10 +42,10 @@ references:
ocil: |-
To verify that execution of the command is being audited, run the following command:
- Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command.
+ Configure the operating system to generate an audit record for all uses of the "setfacl" command.
Add or update the following rules in the "/etc/audit/audit.rules" file:
- -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
- -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
+ -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
The audit daemon must be restarted for the changes to take effect.
# sudo systemctl restart auditd.service
<pre>$ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
index 0c6781c7d5..4a5f43376a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,19 +14,11 @@ description: |-
daemon is configured to use the <tt>augenrules</tt> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% else %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% endif %}}
+ <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% else %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% endif %}}
+ <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -73,11 +69,7 @@ ocil: |-
To verify that execution of the command is being audited, run the following command:
<pre>$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
The output should return something similar to:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% else %}}
- <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% endif %}}
+ <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
template:
name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
index b609c3dfc2..a945ce16f8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
daemon is configured to use the <tt>augenrules</tt> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
- <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -59,7 +63,7 @@ ocil: |-
To verify that execution of the command is being audited, run the following command:
<pre>$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
The output should return something similar to:
- <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
template:
name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
index 9de7407f4c..6db7d1daca 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
@@ -10,11 +14,11 @@ description: |-
daemon is configured to use the <tt>augenrules</tt> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
- <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -49,7 +53,7 @@ ocil: |-
To verify that execution of the command is being audited, run the following command:
<pre>$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
The output should return something similar to:
- <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
template:
name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
index 23504bab4a..c357c48fe6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
daemon is configured to use the <tt>augenrules</tt> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
- <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -58,7 +62,7 @@ ocil: |-
To verify that execution of the command is being audited, run the following command:
<pre>$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
The output should return something similar to:
- <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
template:
name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
index 474910c4c8..b5a9e29d2e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
index 3ca968a543..8cc2b236a9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index 7c5058c7f8..86633fb606 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
index 0c7bf84268..ac5bfb2cc5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index 851dd5aa3d..b469e42bbb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -1,3 +1,11 @@
+{{%- if product in ["rhel8"] %}}
+ {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}}
+{{%- elif product in ["ubuntu2004"] %}}
+ {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}}
+{{%- else %}}
+ {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: rhel8,sle12,sle15,ubuntu2004
@@ -10,11 +18,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-w /usr/bin/kmod -p x -k modules</pre>
+ <pre>{{{ kmod_audit }}}</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-w /usr/bin/kmod -p x -k modules</pre>
+ <pre>{{{ kmod_audit }}}</pre>
rationale: |-
Without generating audit records that are specific to the security and
@@ -48,7 +56,7 @@ ocil: |-
following command:
<pre># sudo grep kmod /etc/audit/audit.rules
- -w /usr/bin/kmod -p x -k modules</pre>
+ {{{ kmod_audit }}}</pre>
If the system is configured to audit the execution of the module management
program "kmod", the command will return a line. If the command does not
@@ -60,3 +68,4 @@ template:
name: audit_rules_privileged_commands
vars:
path: /usr/bin/kmod
+ path@ubuntu2004: /bin/kmod
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
index cc423c4146..56bd72b670 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
index edbb41f3d8..4c14ea509c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index f5a3a4be02..c34eeb54c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -1,8 +1,7 @@
-documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
-
-title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check'
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
{{% if product in ["sle12", "sle15"] %}}
{{% set pam_bin_path = "/sbin/pam_timestamp_check" %}}
@@ -10,6 +9,12 @@ title: 'Ensure auditd Collects Information on the Use of Privileged Commands - p
{{% set pam_bin_path = "/usr/sbin/pam_timestamp_check" %}}
{{% endif %}}
+documentation_complete: true
+
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check'
+
description: |-
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the <tt>auditd</tt> daemon is
@@ -17,12 +22,12 @@ description: |-
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F path={{{ pam_bin_path }}}
- -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
<pre>-a always,exit -F path={{{ pam_bin_path }}}
- -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 60660a1314..2af86f5042 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
index 8f90c9c211..9509216e8f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
index e913e83a0b..c5d1a82cc7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 5c39013572..604cbcda85 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -1,3 +1,13 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
+{{%- if product in ["sle12", "sle15"] %}}
+ {{%- set ssh_keysign_path="/usr/lib/ssh/ssh-keysign" %}}
+{{%- else %}}
+ {{%- set ssh_keysign_path="/usr/libexec/openssh/ssh-keysign" %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,15 +20,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
- {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} -F auid&gt;={{{ auid }}}
- -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
- {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
- -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index 99e09ab4e3..87a81ee0c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/su -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/su -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index aac859c4b1..e989091836 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index 061b5c28a7..5d47508bb9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index 41a6123f5b..5be7f486c6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
index de8bab633a..6dccc80692 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+ {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
documentation_complete: true
prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
@@ -10,11 +14,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- <pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- <pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+ <pre>-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index 288d3c3bf2..7089016151 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -10,19 +10,11 @@ description: |-
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
- {{% if 'ubuntu' in product %}}
<pre>-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% else %}}
- <pre>-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
- {{% if 'ubuntu' in product %}}
<pre>-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% else %}}
- <pre>-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- {{% endif %}}
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -63,7 +55,4 @@ ocil: |-
template:
name: audit_rules_privileged_commands
vars:
- path: /usr/bin/usermod
- path@ubuntu1604: /usr/sbin/usermod
- path@ubuntu1804: /usr/sbin/usermod
- path@ubuntu2004: /usr/sbin/usermod
+ path: /usr/sbin/usermod
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index a245de6673..06154e10ce 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 2b3795674f..d03a92061c 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index 8e3919ca66..c3d396e2ff 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
{{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
{{%- endif %}}
<def-group>
From fd801e1fd36a0e6724c043de2dbc75567738edfa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:57:08 +0200
Subject: [PATCH 18/21] Update SRG mapping of chronyd_or_ntpd_set_maxpoll.
---
.../guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 4827cf1359..854e8e8048 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -90,7 +90,7 @@ references:
nist: CM-6(a),AU-8(1)(b)
nist-csf: PR.PT-1
nist@sle12: AU-8(1)(a),AU-8(1)(b)
- srg: 'SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144'
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
stigid@ol7: OL07-00-040500
stigid@rhel7: RHEL-07-040500
stigid@rhel8: RHEL-08-030740
From 4a79ec12860e768e650bb7fd0962334d1c70223a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:58:47 +0200
Subject: [PATCH 19/21] Remove SUSE keyword verbiage from rules.
---
.../accounts/accounts-restrictions/account_unique_id/rule.yml | 4 ++--
.../audit_rules_login_events_faillog/rule.yml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
index e55901dbdc..5cfdf48dba 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -32,8 +32,8 @@ ocil_clause: 'a line is returned'
ocil: |-
Run the following command to check for duplicate account names:
- Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command:
+ Check that the operating system contains no duplicate UIDs for interactive users by running the following command:
<pre># awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd</pre>
If output is produced, this is a finding.
- Configure the SUSE operating system to contain no duplicate UIDs for interactive users.
+ Configure the operating system to contain no duplicate UIDs for interactive users.
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
index 7a6d748ffe..97d6874e98 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
@@ -39,7 +39,7 @@ ocil_clause: 'there is no output'
ocil: |-
To verify that auditing is configured for system administrator actions, run the following command:
- Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur.
+ Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur.
Add or update the following rules in the "/etc/audit/audit.rules" file:
-w /var/log/faillog -p wa -k logins
The audit daemon must be restarted for the changes to take effect.
From 9122c246c124e26e1e059455ff66b9efa6601eeb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 5 Aug 2021 14:39:13 +0200
Subject: [PATCH 20/21] Enable check_root_user for RHEL9 in audit rules dac.
---
.../audit_rules_dac_modification_fremovexattr/rule.yml | 9 +++++----
.../audit_rules_dac_modification_fsetxattr/rule.yml | 9 +++++----
.../audit_rules_dac_modification_lremovexattr/rule.yml | 1 +
.../audit_rules_dac_modification_lsetxattr/rule.yml | 9 +++++----
.../audit_rules_dac_modification_removexattr/rule.yml | 9 +++++----
.../audit_rules_dac_modification_setxattr/rule.yml | 9 +++++----
6 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index d46968da8f..5bd1b25eaf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -11,13 +11,13 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
@@ -25,13 +25,13 @@ description: |-
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
@@ -92,3 +92,4 @@ template:
vars:
attr: fremovexattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 564daccaed..410dd8a5ef 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
@@ -87,3 +87,4 @@ template:
vars:
attr: fsetxattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 2ae0f11c58..947c768efd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -92,3 +92,4 @@ template:
vars:
attr: lremovexattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 945ad560d7..ed1fd3715d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
@@ -85,3 +85,4 @@ template:
vars:
attr: lsetxattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index e6d7374b7f..61e69432d1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -10,13 +10,13 @@ description: |-
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
@@ -24,13 +24,13 @@ description: |-
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
<br /><br />
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
@@ -91,3 +91,4 @@ template:
vars:
attr: removexattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index ab15167508..12489a74a0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
<pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
{{%- endif %}}
@@ -87,3 +87,4 @@ template:
vars:
attr: setxattr
check_root_user@rhel8: "true"
+ check_root_user@rhel9: "true"
From 88e9061888f7fb5824e7e2c52e83edad6b432615 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 5 Aug 2021 15:53:17 +0200
Subject: [PATCH 21/21] Fix check and remediations of auditd_overflow_action.
The check was generating a new input to the auditd.conf file and without
spaces between the separator (equal sign). This caused auditd failing to
start since it's mandatory to have a space between the separator. It
also introduces case insensitivity for the check since the paramaters
and values are case insensitive.
---
.../auditd_overflow_action/ansible/shared.yml | 6 +++---
.../auditd_overflow_action/bash/shared.sh | 5 +++--
.../auditd_overflow_action/oval/shared.xml | 6 +++---
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
index 4f88ed361d..166054a95a 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
@@ -3,6 +3,6 @@
{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
parameter="overflow_action",
value="syslog",
- separator="=",
- separator_regex="=",
- prefix_regex="^\s*") }}}
+ separator=" = ",
+ separator_regex="\s*=\s*",
+ prefix_regex="(?i)^\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
index 539b9b6582..b397c811d1 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
@@ -7,6 +7,7 @@
{{{set_config_file(path="/etc/audit/auditd.conf",
parameter="overflow_action",
value="syslog",
- separator="=",
- separator_regex="=",
+ insensitive=true,
+ separator=" = ",
+ separator_regex="\s*=\s*",
prefix_regex="^\s*")}}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
index fd45280e4e..880d01bf72 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
@@ -1,6 +1,6 @@
{{{ oval_check_config_file(
path="/etc/audit/auditd.conf",
- prefix_regex="^(?:.*\\n)*\s*",
+ prefix_regex="^[ \\t]*(?i)",
parameter="overflow_action",
- value="syslog|single|halt",
- separator_regex="\s*=\s*") }}}
+ value="(?i)(syslog|single|halt)(?-i)",
+ separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}