ComplianceAsCode
Audit rule contents are out of date compared to auditd examples
Description of problem:
https://github.com/linux-audit/audit-userspace/commit/614f7d1f4755ec24927b2613c0919110fb7acc37 brought it new changes to the example watcher rules shipped in RHEL RPMs, we should probably update our contents in linux_os/guide/auditing/**/rule.yml to match the updated examples.
SCAP Security Guide Version:
a2d0b11e573598c39ab7ad19e89347ee9d9fc399
Operating System Version:
RHEL-9.5
Additional Information/Debugging Steps:
Discovered by /CoreOS/scap-security-guide/Sanity/audit-sample-rules
This also affects RHEL 8.8, this should also be checked.
While the same test fails on 8.8 as well, it is due to a different audit rules related issue.
The 9.5 issue is the addition of arch=, ie.
--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -35,4 +35,8 @@
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
...
etc.
...
which happened quite recently, the 8.8 problem is likely not a recent regression and is of different nature:
--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -57 +56,0 @@
--a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
@@ -60,5 +58,0 @@
-## Special case for systemd-run. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-## Special case for pkexec. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-
Note that the 8.8 problem also seems to occur on 9.0, 9.2 though weirdly not 9.4.
Okay, so the issue with 8.8 / 9.0 / 9.2 is that they use older audit package versions, which have different sample rules compared to 9.4 and 8.10:
- RHEL-8.8 has
audit-3.0.7-4.el8 - RHEL-9.0 has
audit-3.0.7-101.el9_0.2 - RHEL-9.2 has
audit-3.0.7-103.el9 - RHEL-8.10 has
audit-3.1.2-1.el8 - RHEL-9.4 has
audit-3.1.2-2.el9 - RHEL-9.5 has
audit-3.1.5-1.el9
So the content needs to (upstream or downstream) contain 3 versions of the sample rules,
- one for 8.8 / 9.0 / 9.2
- one for 8.10 / 9.4
- one for 9.5+
