Adapt audit_rules_suid_privilege_function for Ubuntu 24.04 CIS #12963
Conversation
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,7 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
AUID_FILTERS=""
@@ -326,7 +326,7 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
AUID_FILTERS=""
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -47,13 +47,13 @@
- name: Set suid_audit_rules fact
ansible.builtin.set_fact:
suid_audit_rules:
- - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+ - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -k setgid
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
- - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+ - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -k setgid
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
- - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+ - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -k setuid
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
- - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+ - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -k setuid
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
when:
- '"audit" in ansible_facts.packages' |
|
/packit build |
|
/packit build |
Ubuntu 24.04 CIS control 6.2.3.2 recommends that all actions as another user are logged and not only when euid=0.
mpurg
force-pushed
the
ubuntu2404_cis_6.2.3.2
branch
from
40392fa to
3cea943
Compare
|
Code Climate has analyzed commit 3cea943 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
Description:
audit_rules_suid_privilege_functionon Ubuntu 24.04Rationale:
Tests:
Ubuntu 24.04 in KVM: