Merge pull request ComplianceAsCode#10685 from rumch-se/fix_in_audit_…

…rules_sysadmin_actions Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi…
rumch-se · Jul 26, 2023 · 55ddc6a · 55ddc6a
2 parents dc450a8 + 0f47fbc
commit 55ddc6a
Show file tree

Hide file tree

Showing 14 changed files with 29 additions and 16 deletions.
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1363,6 +1363,7 @@ controls:
     status: automated
     rules:
     - audit_rules_sysadmin_actions
+    - audit_sudo_log_events
 
     - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog

diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -1275,16 +1275,18 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    status: manual # missing rule for sudoers scope
+    status: automated
+    rules:
+      - audit_rules_sysadmin_actions
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
     levels:
       - l2_server
       - l2_workstation
     status: automated
-    related_rules:
-      - audit_rules_sysadmin_actions
+    rules:
+      - audit_sudo_log_events
 
   - id: 4.1.16
     title: Ensure kernel module loading and unloading is collected (Automated)

diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -1469,16 +1469,18 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    status: manual # missing rule for sudoers scope
+    status: automated
+    rules:
+      - audit_rules_sysadmin_actions
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
     levels:
       - l2_server
       - l2_workstation
     status: automated
-    related_rules:
-      - audit_rules_sysadmin_actions
+    rules:
+      - audit_sudo_log_events
 
   - id: 4.1.16
     title: Ensure kernel module loading and unloading is collected (Automated)

diff --git a/controls/pcidss_3.yml b/controls/pcidss_3.yml
@@ -1853,6 +1853,7 @@ controls:
     rules:
       - audit_rules_privileged_commands
       - audit_rules_sysadmin_actions
+      - audit_sudo_log_events
 
   - id: Req-10.2.3
     title: 10.2.3 Access to all audit trails

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2074,6 +2074,7 @@ controls:
         rules:
           - audit_rules_privileged_commands
           - audit_rules_sysadmin_actions
+          - audit_sudo_log_events
 
       - id: 10.2.1.3
         title: 'Audit logs capture all access to audit logs.Records of all access to

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="audit_rules_sudoers_d" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
     {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}}
     <criteria operator="OR">
       <criteria operator="AND">

diff --git a/...de/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/...de/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
diff --git a/.../guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/.../guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
@@ -1,8 +1,8 @@
 # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers", "wa", "actions") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers", "wa", "actions") }}}
-
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers.d/", "wa", "actions") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers.d/", "wa", "actions") }}}
diff --git a/...guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/...guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="audit_rules_sysadmin_actions" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
     {{{ oval_metadata("Audit actions taken by system administrators on the system.") }}}
     <criteria operator="OR">
       <criteria operator="AND">

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -39,8 +39,8 @@ references:
     cis@rhel7: 4.1.14
     cis@rhel8: 4.1.3.1
     cis@rhel9: 4.1.3.1
-    cis@sle12: 4.1.14,4.1.15
-    cis@sle15: 4.1.14,4.1.15
+    cis@sle12: 4.1.14
+    cis@sle15: 4.1.14
     cis@ubuntu2004: 4.1.14
     cis@ubuntu2204: 4.1.3.1
     cjis: 5.4.1.1

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204
+prodtype: fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Attempts to perform maintenance activities'
 
@@ -40,13 +40,20 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-86432-2
     cce@rhel9: CCE-86433-0
+    cce@sle12: CCE-92355-7
+    cce@sle15: CCE-92551-1    
 
 references:
+    anssi: BP28(R73)
     ccn@rhel9: A.3.SEC-RHEL7
     cis@rhel8: 4.1.3.3
     cis@rhel9: 4.1.3.3
+    cis@sle12: 4.1.15
+    cis@sle15: 4.1.15    
     cis@ubuntu2204: 4.1.3.3
     disa: CCI-000172,CCI-002884
+    pcidss: Req-10.2.2,Req-10.2.5.b
+    pcidss4: "10.2.1.5,10.2.2"    
     srg: SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
     stigid@ubuntu2004: UBTU-20-010244
 

diff --git a/products/sle15/profiles/hipaa.profile b/products/sle15/profiles/hipaa.profile
@@ -137,6 +137,7 @@ selections:
     - audit_rules_usergroup_modification_opasswd
     - audit_rules_usergroup_modification_passwd
     - audit_rules_usergroup_modification_shadow
+    - audit_sudo_log_events
     - auditd_data_retention_flush
     - configure_crypto_policy
     - dconf_gnome_remote_access_credential_prompt

diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
@@ -17,7 +17,6 @@ CCE-92347-4
 CCE-92348-2
 CCE-92350-8
 CCE-92354-0
-CCE-92355-7
 CCE-92357-3
 CCE-92358-1
 CCE-92360-7

diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -43,7 +43,6 @@ CCE-92546-1
 CCE-92547-9
 CCE-92549-5
 CCE-92550-3
-CCE-92551-1
 CCE-92553-7
 CCE-92554-5
 CCE-92555-2