From 6e03cfa0209fc4e02772bb7bfb1d3ffabee315be Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 22 Nov 2023 12:22:36 +0100 Subject: [PATCH] Checked out audit_rules_kernel_module_loading_init Too many disruptive changes to cherry pick. Only in master: - 91023c97d5|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685d1d|2023-10-31|2023-10-31 Merge pull request #11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231d6d|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 2804dfb382|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket] - 92e78825d2|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d8f7|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9885|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f5d7|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe80d3|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315eac|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 4f18ae7d3a|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1a5e|2023-04-11|2023-04-11 Merge pull request #10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9880|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6333|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25b9b|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd0f7|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - e3886d4fde|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt] - 9f273f27ea|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto] - 3d711c8b36|2022-11-30|2022-11-30 Merge pull request #9897 from litios/master [GitHub] - 795f076c3b|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6291|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d539|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af472a5|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a2d9|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29fbf|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 95f767a355|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio] - 7f5b811d66|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad537|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee989|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd27bc|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - 95cfa858ff|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt] - 41ea38be8f|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538dfc48|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 7a25ff4bf3|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li] - 32c80740cc|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket] - fa81eb115c|2022-04-06|2022-04-06 Merge pull request #8327 from Xeicker/ol08-00-030390 [GitHub] - c0ae24e95c|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb722|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34b20|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - fa8680ad52|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev] - c8b9548f03|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - a62d887414|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar] - fb60278d83|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de65f|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63af04|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8dbb4d|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 5ad8290cd3|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino] - 2214054aec|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4c16|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e0148e0|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 60345d77df|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3a83|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa] --- .../ansible/shared.yml | 28 ++++++++++++----- .../bash/shared.sh | 11 ++++--- .../kubernetes/shared.yml | 2 +- .../oval/shared.xml | 16 ++++++++++ .../policy/stig/shared.yml | 16 ++++++++++ .../rule.yml | 31 ++++++++++++++----- .../tests/correct_rules.pass.sh | 9 ++++-- .../tests/default.fail.sh | 2 +- .../tests/missing_auid_filter.fail.sh | 8 +++++ .../tests/ocp4/e2e.yml | 2 +- 10 files changed, 99 insertions(+), 26 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/missing_auid_filter.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index f238b25121f..ac24d2e2dc5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -1,21 +1,33 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu # reboot = false # complexity = low # disruption = low # strategy = configure +{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} +{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} +{{% else %}} +{{% set auid_filters = "" %}} +{{% endif %}} + # What architecture are we on? - name: Set architecture for audit init_module tasks set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + audit_arch: "b64" + when: + - ansible_architecture == "aarch64" or + ansible_architecture == "ppc64" or + ansible_architecture == "ppc64le" or + ansible_architecture == "s390x" or + ansible_architecture == "x86_64" -- name: Perform remediation of Audit rules for init_module for x86 platform +- name: Perform remediation of Audit rules for init_module for 32bit platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["init_module"], key="module-change", syscall_grouping=["init_module","finit_module"], @@ -23,18 +35,18 @@ {{{ ansible_audit_auditctl_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b32", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["init_module"], key="module-change", syscall_grouping=["init_module","finit_module"], )|indent(4) }}} -- name: Perform remediation of Audit rules for init_module for x86_64 platform +- name: Perform remediation of Audit rules for init_module for 64bit platform block: {{{ ansible_audit_augenrules_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["init_module"], key="module-change", syscall_grouping=["init_module","finit_module"], @@ -42,7 +54,7 @@ {{{ ansible_audit_auditctl_add_syscall_rule( action_arch_filters="-a always,exit -F arch=b64", other_filters="", - auid_filters="", + auid_filters=auid_filters, syscalls=["init_module"], key="module-change", syscall_grouping=["init_module","finit_module"], diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh index 3bb7f89d37c..6dd02945292 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh @@ -1,8 +1,5 @@ # platform = multi_platform_all -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => @@ -15,11 +12,15 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + {{% else %}} AUID_FILTERS="" + {{% endif %}} SYSCALL="init_module" KEY="modules" SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" - fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}} + {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}} done diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml index 2fb9a7ff584..083a612a0a5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml @@ -12,4 +12,4 @@ spec: source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A mode: 0600 path: /etc/audit/rules.d/75-kernel-module-loading-init.rules - overwrite: true \ No newline at end of file + overwrite: true diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml index 29503cb9f22..8f8f72bca1c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml @@ -36,7 +36,11 @@ ^/etc/audit/rules\.d/.*\.rules$ + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -45,7 +49,11 @@ ^/etc/audit/rules\.d/.*\.rules$ + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -54,7 +62,11 @@ /etc/audit/audit.rules + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 @@ -63,7 +75,11 @@ /etc/audit/audit.rules + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% endif %}} 1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/policy/stig/shared.yml new file mode 100644 index 00000000000..018450a1fdd --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/policy/stig/shared.yml @@ -0,0 +1,16 @@ +srg_requirement: |- + {{{ full_name }}} Must Provide Audit Record Generation Capability For Dod-Defined Auditable Events For All Operating System Components. + +vuldiscussion: |- + The addition of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +checktext: |- + To determine if the system is configured to audit calls to the + init_module system call, run the following command: + $ sudo grep "init_module" /etc/audit/audit.* + If the system is configured to audit this activity, it will return a line. + + + If no line is returned, then this is a finding. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index b2d0470fe74..9b0ba2ac498 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -1,13 +1,17 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' description: |- To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + 
-a always,exit -F arch=ARCH -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
+ {{% else %}} 
-a always,exit -F arch=ARCH -S init_module -F key=modules
+ {{% endif %}} Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix @@ -30,14 +34,21 @@ identifiers: cce@rhel9: CCE-90835-0 cce@sle12: CCE-83130-5 cce@sle15: CCE-85750-8 + references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 + cis@alinux2: 4.1.17 cis@rhel7: 4.1.16 - cis@rhel8: 4.1.15 + cis@rhel8: 4.1.3.19 + cis@rhel9: 4.1.3.19 + cis@sle12: 4.1.16 + cis@sle15: 4.1.16 cis@ubuntu2004: 4.1.16 + cis@ubuntu2204: 4.1.3.19 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cui: 3.1.7 - disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' @@ -47,13 +58,19 @@ references: nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.7 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280 stigid@ol7: OL07-00-030820 + stigid@ol8: OL08-00-030360 stigid@rhel7: RHEL-07-030820 stigid@rhel8: RHEL-08-030360 - stigid@sle12: SLES-12-020750 - stigid@sle15: SLES-15-030540 + stigid@rhel9: RHEL-09-654080 + stigid@sle12: SLES-12-020740 + stigid@sle15: SLES-15-030530 stigid@ubuntu2004: UBTU-20-010179 - vmmsrg: SRG-OS-000477-VMM-001970 {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} + +fixtext: |- + {{{ fixtext_audit_rules("init_module", "module_chng") | indent(4) }}} + +srg_requirement: '{{{ srg_requirement_audit_command("init_module") }}}' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh index 74cfa43b21e..b3b6e1d48fa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh @@ -1,7 +1,10 @@ #!/bin/bash +# packages = audit -# packages = {{{ ssgts_package("audit") }}} - +{{% if "ol" in product or 'rhel' in product %}} +echo "-a always,exit -F arch=b32 -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules +echo "-a always,exit -F arch=b64 -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules +{{% else %}} echo "-a always,exit -F arch=b32 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules echo "-a always,exit -F arch=b64 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules - +{{% endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh index c4689b5a18b..6d0cf84e52e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # remediation = bash -# packages = {{{ ssgts_package("audit") }}} +# packages = audit rm -f /etc/audit/rules.d/* > /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/missing_auid_filter.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/missing_auid_filter.fail.sh new file mode 100644 index 00000000000..7570ed06f26 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/missing_auid_filter.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 8 +# packages = audit + +rm -f /etc/audit/rules.d/* + +echo "-a always,exit -F arch=b32 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules +echo "-a always,exit -F arch=b64 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/ocp4/e2e.yml index b5bc081590c..fd9b313e87b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/ocp4/e2e.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/ocp4/e2e.yml @@ -1,3 +1,3 @@ --- default_result: FAIL -result_after_remediation: PASS \ No newline at end of file +result_after_remediation: PASS