From 93dbe3ba9fce700c274f1555326ba5f351adebac Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 3 Feb 2025 20:26:18 +0100
Subject: [PATCH] Adapt audit_rules_suid_privilege_function for Ubuntu 24.04
 CIS

Ubuntu 24.04 CIS control 6.2.3.2 recommends that all actions
as another user are logged and not only when euid=0.
---
 .../audit_rules_suid_privilege_function/ansible/shared.yml | 4 ++--
 .../audit_rules_suid_privilege_function/bash/shared.sh     | 4 ++--
 .../audit_rules_suid_privilege_function/oval/shared.xml    | 2 +-
 .../audit_rules_suid_privilege_function/rule.yml           | 7 +++----
 .../tests/correct_value.pass.sh                            | 2 +-
 .../tests/miss_arch.fail.sh                                | 2 +-
 .../tests/miss_c.fail.sh                                   | 2 +-
 .../tests/other_key.pass.sh                                | 2 +-
 .../tests/use_f_key.pass.sh                                | 2 +-
 .../tests/wrong_a.fail.sh                                  | 2 +-
 .../tests/wrong_c_egid.fail.sh                             | 2 +-
 .../tests/wrong_c_euid.fail.sh                             | 2 +-
 .../tests/wrong_f_egid.fail.sh                             | 2 +-
 .../tests/wrong_f_euid.fail.sh                             | 2 +-
 14 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
index 16f52a708f0..2388eaa5030 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{% if product != "ol8" %}}
+{{% if product not in ["ol8", "ubuntu2404"] %}}
 {{% set egid_arg = " -F egid=0" %}}
 {{% set euid_arg = " -F euid=0" %}}
 {{% endif %}}
@@ -13,7 +13,7 @@
 {{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}}
 {{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}}
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 {{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+" %}}
 {{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+" %}}
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
index d9c7d21149f..3f80d0bec24 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh
@@ -7,7 +7,7 @@
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	{{% if product == "ol8" %}}
+    {{% if product in ["ol8", "ubuntu2404"] %}}
 	OTHER_FILTERS="-C uid!=euid"
 	{{% else %}}
 	OTHER_FILTERS="-C uid!=euid -F euid=0"
@@ -24,7 +24,7 @@ done
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	{{% if product == "ol8" %}}
+    {{% if product in ["ol8", "ubuntu2404"] %}}
 	OTHER_FILTERS="-C gid!=egid"
 	{{% else %}}
 	OTHER_FILTERS="-C gid!=egid -F egid=0"
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
index d2f57f46b51..e612eb6e8e1 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml
@@ -1,7 +1,7 @@
 {{% set rx_beg = "^[\s]*-a[\s]+always,exit[\s]+" %}}
 {{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}}
 {{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}}
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 {{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+" %}}
 {{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+" %}}
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml
index bd05c372a7a..fe2ad3850da 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml
@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Record Events When Privileged Executables Are Run'
 
 description: |-
@@ -14,7 +13,7 @@ description: |-
 
     <pre>$ sudo grep -r execve /etc/audit/rules.d</pre>
 
-    {{% if product == "ol8" %}}
+    {{% if product in ["ol8", "ubuntu2404"] %}}
     <pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -k setgid</pre>
@@ -78,7 +77,7 @@ ocil: |-
 
     The output should be the following:
 
-    {{% if product == "ol8" %}}
+    {{% if product in ["ol8", "ubuntu2404"] %}}
     <pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -k setgid</pre>
@@ -95,7 +94,7 @@ fixtext: |-
 
     Add or update the following rules to "/etc/audit/rules.d/audit.rules":
 
-    {{% if product == "ol8" %}}
+    {{% if product in ["ol8", "ubuntu2404"] %}}
     <pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -k setuid</pre>
     <pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -k setgid</pre>
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh
index e1649094c65..4857a14c3db 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=euid"
 OTHER_FILTERS_EGID=" -C gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh
index 207adc58a14..d8391ffe278 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=euid"
 OTHER_FILTERS_EGID=" -C gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh
index 5c8a4eca309..d2e3f9b4900 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product != "ol8" %}}
+{{% if product not in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -F euid=0"
 OTHER_FILTERS_EGID=" -F egid=0"
 {{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh
index 0521ea052e1..a4f9d13cf83 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh
@@ -3,7 +3,7 @@
 
 # This tests situation where key value is not std. And also situation where there is extra spaces in rules.
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C     uid!=euid"
 OTHER_FILTERS_EGID=" -C     gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh
index 7e7e76ef1bb..bf7d3ac40db 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh
@@ -2,7 +2,7 @@
 # packages = audit
 
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=euid"
 OTHER_FILTERS_EGID=" -C gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh
index 37793e3d92f..cc8a82eccf7 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=euid"
 OTHER_FILTERS_EGID=" -C gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh
index 9b02b2322e1..0d3bb53cf3d 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=egid"
 OTHER_FILTERS_EGID=" -C gid!=egid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh
index 704a4ebecba..c1803c1677e 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 OTHER_FILTERS_EUID=" -C uid!=euid"
 OTHER_FILTERS_EGID=" -C gid!=euid"
 {{% else %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh
index 3672eb05375..ba6f1090211 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = audit
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 # platform = Not Applicable
 {{% endif %}}
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh
index b2279cca248..afbb3af10ac 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = audit
-{{% if product == "ol8" %}}
+{{% if product in ["ol8", "ubuntu2404"] %}}
 # platform = Not Applicable
 {{% endif %}}