Audit rule contents are out of date compared to auditd examples

[comps]

Description of problem:

linux-audit/audit-userspace@614f7d1 brought it new changes to the example watcher rules shipped in RHEL RPMs, we should probably update our contents in linux_os/guide/auditing/**/rule.yml to match the updated examples.

SCAP Security Guide Version:

a2d0b11

Operating System Version:

RHEL-9.5

Additional Information/Debugging Steps:

Discovered by /CoreOS/scap-security-guide/Sanity/audit-sample-rules

[Mab879]

This also affects RHEL 8.8, this should also be checked.

[comps]

This also affects RHEL 8.8, this should also be checked.

While the same test fails on 8.8 as well, it is due to a different audit rules related issue.

The 9.5 issue is the addition of arch=, ie.

--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -35,4 +35,8 @@
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
...
etc.
...

which happened quite recently, the 8.8 problem is likely not a recent regression and is of different nature:

--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -57 +56,0 @@
--a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
@@ -60,5 +58,0 @@
-## Special case for systemd-run. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-## Special case for pkexec. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-

[comps]

Note that the 8.8 problem also seems to occur on 9.0, 9.2 though weirdly not 9.4.

[comps]

Okay, so the issue with 8.8 / 9.0 / 9.2 is that they use older audit package versions, which have different sample rules compared to 9.4 and 8.10:

• RHEL-8.8 has audit-3.0.7-4.el8
• RHEL-9.0 has audit-3.0.7-101.el9_0.2
• RHEL-9.2 has audit-3.0.7-103.el9
• RHEL-8.10 has audit-3.1.2-1.el8
• RHEL-9.4 has audit-3.1.2-2.el9
• RHEL-9.5 has audit-3.1.5-1.el9

So the content needs to (upstream or downstream) contain 3 versions of the sample rules,

• one for 8.8 / 9.0 / 9.2
• one for 8.10 / 9.4
• one for 9.5+

[mildas]

@vojtapolasek Any plans or updates?

[vojtapolasek]

I will do my best to come up with a final PR this week.