Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update audit_rules_suid_privilege_function to use ExecStart instead of ExecStartPost #12549

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Update audit_rules_suid_privilege_function to use ExecStart instead of ExecStartPost #12549

merged 1 commit into from
Nov 4, 2024

Conversation

ggbecker
Copy link
Member

Description:

  • Update audit_rules_suid_privilege_function to use ExecStart instead of ExecStartPost

Rationale:

  • Fix the ansible remediation in RHEL10

@ggbecker ggbecker added bugfix Fixes to reported bugs. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Oct 28, 2024
@ggbecker ggbecker added this to the 0.1.75 milestone Oct 28, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@github-actions GitHub Actions
Copy link

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@ggbecker
Update audit_rules_suid_privilege_function to use ExecStart instead o…
d13c361 
…f ExecStartPost.

RHEL10 does not use the old ExecStartPost directive anymore.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 28, 2024

Code Climate has analyzed commit d13c361 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@ggbecker
Copy link
Member Author

ggbecker commented Oct 28, 2024
edited
Loading

Looks like the problem has been fixed.

TASK [Check the rules script being used] ***************************************
ok: [192.168.122.237] => {"changed": false, "cmd": ["grep", "^ExecStart", "/usr/lib/systemd/system/audit-rules.service"], "delta": "0:00:00.001622", "end": "2024-10-28 18:55:49.652923", "failed_when_result": false, "msg": "", "rc": 0, "start": "2024-10-28 18:55:49.651301", "stderr": "", "stderr_lines": [], "stdout": "ExecStart=/sbin/augenrules --load", "stdout_lines": ["ExecStart=/sbin/augenrules --load"]}

TASK [Set suid_audit_rules fact] ***********************************************
ok: [192.168.122.237] => (Redacted by Contest)

TASK [Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions] ***
changed: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "backup": "", "changed": true, "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "msg": "line added"}
changed: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "backup": "", "changed": true, "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "msg": "line added"}

TASK [Update Update /etc/audit/audit.rules to audit privileged functions] ******
skipping: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'})  => {"ansible_loop_var": "item", "changed": false, "false_condition": "\"auditctl\" in check_rules_scripts_result.stdout", "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "skip_reason": "Conditional result was False"}
skipping: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'})  => {"ansible_loop_var": "item", "changed": false, "false_condition": "\"auditctl\" in check_rules_scripts_result.stdout", "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "skip_reason": "Conditional result was False"}
skipping: [192.168.122.237] => {"changed": false, "msg": "All items skipped"}

TASK [Restart Auditd] **********************************************************
changed: [192.168.122.237] => {"changed": true, "cmd": ["/usr/sbin/service", "auditd", "restart"], "delta": "0:00:01.095532", "end": "2024-10-28 18:55:51.352516", "msg": "", "rc": 0, "start": "2024-10-28 18:55:50.256984", "stderr": "", "stderr_lines": [], "stdout": "Redirecting start to /bin/systemctl start auditd.service", "stdout_lines": ["Redirecting start to /bin/systemctl start auditd.service"]}

jan-cerny
jan-cerny reviewed Oct 29, 2024
View reviewed changes
.../auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml
- name: Service facts
ansible.builtin.service_facts:

- name: Check the rules script being used
ansible.builtin.command:
grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
grep '^{{{ audit_loading_systemd_directive }}}' /usr/lib/systemd/system/{{{ audit_loading_service_file }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do other occurrences of auditd and auditd.service in this Ansible remedaition need to be updated as well or only this one grep should be changed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is the only change needed in this Ansible remediation. Other rules might require some more adjustments, because of the ExecStart/ExecStartPost thing but it's not part of this PR to fix them, and they are more complicated IMO.

@vojtapolasek
Copy link
Collaborator

Hello,
this rule rings a bell for me. Please note this:
#12359 (comment)
So the rule might not be working as expected.

@ggbecker
Copy link
Member Author

Hello, this rule rings a bell for me. Please note this: #12359 (comment) So the rule might not be working as expected.

I was able to fix the remediation issue with this pull request, but I haven't done any further testing to see if the rules are actually being loaded by the auditd service. But I'd assume the test would not work if the rules were loaded correctly. This rule is part of RHEL9 CIS profile and there it is working as expected.

@Mab879 Mab879 self-assigned this Oct 31, 2024
@Mab879
Copy link
Member

Mab879 commented Nov 4, 2024

Waving Automatus tests since these rules are not applicable in VMs.

@Mab879 Mab879 merged commit bd5118a into ComplianceAsCode:master Nov 4, 2024
99 of 104 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
4 participants
@ggbecker @vojtapolasek @Mab879 @jan-cerny