From c37378a570b7bcb799c871ad1389ba87e2cc787d Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Tue, 3 Sep 2024 15:11:39 +0200
Subject: [PATCH] Added remediation and tests for the rule
 permissions_local_var_log_audit

---
 .../ansible/shared.yml                        | 37 +++++++++++++++++++
 .../bash/shared.sh                            | 23 ++++++++++++
 .../tests/audit_correct_permissions.pass.sh   | 25 +++++++++++++
 .../tests/audit_incorrect_permissions.fail.sh | 12 ++++++
 4 files changed, 97 insertions(+)
 create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/ansible/shared.yml
 create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/bash/shared.sh
 create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_incorrect_permissions.fail.sh

diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/ansible/shared.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/ansible/shared.yml
new file mode 100644
index 00000000000..c9b0cc5c5d2
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/ansible/shared.yml
@@ -0,0 +1,37 @@
+# platform = multi_platform_sle,multi_platform_slmicro
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='Configure permission for /var/log/audit', path='/etc/permissions.local', regex='^\/var\/log\/audit\s+root.*', insensitive=false, new_line='/var/log/audit root:root 600', create='yes', state='present', register='update_permissions_var_log_audit') }}}
+
+- name: "Correct file permissions after update /var/log/audit"
+  shell: >
+    set -o pipefail
+    chkstat --set --system
+  when: update_update_permissions_var_log_audit.changed
+
+{{{ ansible_lineinfile(msg='Configure permission for /var/log/audit.log', path='/etc/permissions.local', regex='^\/var\/log\/audit\/audit.log\s+root.*', insensitive=false, new_line='/var/log/audit/audit.log root:root 600', create='yes', state='present', register='update_permissions_var_log_audit_audit_log') }}}
+
+- name: "Correct file permissions after update /var/log/audit/audit.log"
+  shell: >
+    set -o pipefail
+    chkstat --set --system
+  when: update_permissions_var_log_audit_audit_log.changed
+
+{{{ ansible_lineinfile(msg='Configure permission for /etc/audit/audit.rules', path='/etc/permissions.local', regex='^\/etc\/audit\/audit.rules\s+root.*', insensitive=false, new_line='/etc/audit/audit.rules root:root 640', create='yes', state='present', register='update_permissions_etc_audit_audit_rules') }}}
+
+- name: "Correct file permissions after update /etc/audit/audit.rules"
+  shell: >
+    set -o pipefail
+    chkstat --set --system
+  when: update_permissions_etc_audit_audit_rules.changed
+
+{{{ ansible_lineinfile(msg='Configure permission for /etc/audit/rules.d/audit.rules', path='/etc/permissions.local', regex='^\/etc\/audit\/rules.d\/audit.rules\s+root.*', insensitive=false, new_line='/etc/audit/rules.d/audit.rules root:root 640', create='yes', state='present', register='update_permissions_etc_audit_rules_d_audit_rules') }}}
+
+- name: "Correct file permissions after update /etc/audit/rules.d/audit.rules"
+  shell: >
+    set -o pipefail
+    chkstat --set --system
+  when: update_permissions_etc_audit_rules_d_audit_rules.changed
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/bash/shared.sh b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/bash/shared.sh
new file mode 100644
index 00000000000..530c6d2c79a
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/bash/shared.sh
@@ -0,0 +1,23 @@
+# platform = multi_platform_sle,multi_platform_slmicro
+
+current_permissions_rules=$(grep -i audit /etc/permissions.local)
+if [ ${#current_permissions_rules} -ne 0 ]
+then
+  echo "We will delete existing permissions"
+  sed -ri '/^\/var\/log\/audit\s+root:.*/d' /etc/permissions.local
+  sed -ri '/^\/var\/log\/audit\/audit.log\s+root.*/d' /etc/permissions.local 
+  sed -ri '/^\/etc\/audit\/audit.rules\s+root.*/d' /etc/permissions.local
+  sed -ri '/^\/etc\/audit\/rules.d\/audit.rules\s+root.*/d' /etc/permissions.local
+fi
+echo "There are no permission rules for audit information files and folders. We will add them"
+echo "/var/log/audit root:root 600" >> /etc/permissions.local
+echo "/var/log/audit/audit.log root:root 600" >> /etc/permissions.local
+echo "/etc/audit/audit.rules root:root 640" >> /etc/permissions.local
+echo "/etc/audit/rules.d/audit.rules root:root 640" >> /etc/permissions.local
+
+check_stats=$(chkstat /etc/permissions.local)
+if [ ${#check_stats} -gt 0 ]
+then
+  echo "Audit information files and folders don't have correct permissions.We will set them"
+  chkstat --set /etc/permissions.local
+fi
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_correct_permissions.pass.sh b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_correct_permissions.pass.sh
new file mode 100644
index 00000000000..1c7050a436c
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_correct_permissions.pass.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# platform = multi_platform_sle,multi_platform_slmicro
+
+current_permissions_rules=$(grep -i audit /etc/permissions.local)
+if [ ${#current_permissions_rules} -ne 0 ]
+then
+  echo "We will delete existing permissions"
+  sed -ri '/^\/var\/log\/audit\s+root:.*/d' /etc/permissions.local
+  sed -ri '/^\/var\/log\/audit\/audit.log\s+root.*/d' /etc/permissions.local 
+  sed -ri '/^\/etc\/audit\/audit.rules\s+root.*/d' /etc/permissions.local
+  sed -ri '/^\/etc\/audit\/rules.d\/audit.rules\s+root.*/d' /etc/permissions.local
+fi
+echo "There are no permission rules for audit information files and folders. We will add them"
+echo "/var/log/audit root:root 600" >> /etc/permissions.local
+echo "/var/log/audit/audit.log root:root 600" >> /etc/permissions.local
+echo "/etc/audit/audit.rules root:root 640" >> /etc/permissions.local
+echo "/etc/audit/rules.d/audit.rules root:root 640" >> /etc/permissions.local
+
+check_stats=$(chkstat /etc/permissions.local)
+if [ ${#check_stats} -gt 0 ]
+then
+  echo "Audit information files and folders don't have correct permissions.We will set them"
+  chkstat --set /etc/permissions.local
+fi
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_incorrect_permissions.fail.sh
new file mode 100644
index 00000000000..0a918d42dba
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/tests/audit_incorrect_permissions.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# platform = multi_platform_sle,multi_platform_slmicro
+
+for AUDIT_FILE in /var/log/audit /var/log/audit/audit.log /etc/audit/audit.rules /etc/audit/rules.d/audit.rules
+do
+  if [ -f $AUDIT_FILE ]
+  then
+     chown nobody:nobody $AUDIT_FILE
+     chmod 0644 $AUDIT_FILE
+  fi
+done