From 8ef0d5082c3c2c20b3a4f70bff53af513071b33b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 7 Dec 2023 18:13:35 +0100 Subject: [PATCH 1/3] audit_rule_login_events: handle path_is_variable in Kubernetes remediation Update audit_rules_login_events kubernetes template to handle new parameter 'path_is_variable'. When the path is a variable, CO needs to fetch the variables value and render the MachineConfig. --- controls/nist_rhcos4.yml | 4 ++++ products/rhcos4/profiles/e8.profile | 1 + products/rhcos4/profiles/stig-v1r1.profile | 1 + shared/templates/audit_rules_login_events/kubernetes.template | 4 ++++ 4 files changed, 10 insertions(+) diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 34c37c91f3b..67698080b6e 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -1022,6 +1022,7 @@ controls: - audit_rules_login_events_tallylog - audit_rules_privileged_commands_umount - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_privileged_commands_crontab - audit_rules_execution_setsebool - audit_rules_etc_group_open_by_handle_at @@ -2553,6 +2554,7 @@ controls: - audit_rules_execution_semanage - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage @@ -3541,6 +3543,7 @@ controls: - audit_rules_execution_semanage - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage @@ -5077,6 +5080,7 @@ controls: - sysctl_net_ipv4_conf_default_rp_filter - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage diff --git a/products/rhcos4/profiles/e8.profile b/products/rhcos4/profiles/e8.profile index f9593544678..55f4cc40af7 100644 --- a/products/rhcos4/profiles/e8.profile +++ b/products/rhcos4/profiles/e8.profile @@ -51,6 +51,7 @@ selections: - auditd_name_format - audit_rules_login_events_tallylog - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_login_events_lastlog - audit_rules_login_events - audit_rules_time_adjtimex diff --git a/products/rhcos4/profiles/stig-v1r1.profile b/products/rhcos4/profiles/stig-v1r1.profile index 951db16d932..0a851bd6cbb 100644 --- a/products/rhcos4/profiles/stig-v1r1.profile +++ b/products/rhcos4/profiles/stig-v1r1.profile @@ -21,6 +21,7 @@ selections: - var_sshd_set_keepalive=0 - var_selinux_policy_name=targeted - var_selinux_state=enforcing + - var_accounts_passwords_pam_faillock_dir=run # Let's mark the vsyscall argument as info - the check and the fix is there, but setting this # karg is not suitable for people who still run legacy 32bit apps. - coreos_vsyscall_kernel_argument.role=unscored diff --git a/shared/templates/audit_rules_login_events/kubernetes.template b/shared/templates/audit_rules_login_events/kubernetes.template index 6c67a6aff74..25bb67fd7a9 100644 --- a/shared/templates/audit_rules_login_events/kubernetes.template +++ b/shared/templates/audit_rules_login_events/kubernetes.template @@ -12,7 +12,11 @@ spec: storage: files: - contents: +{{% if PATH_IS_VARIABLE %}} + source: data:,-w%20{{ {{{ url_encode("{{.var_accounts_passwords_pam_faillock_dir}}") }}} }}%20-p%20wa%20-k%20logins%0A +{{% else %}} source: data:,-w%20{{{ PATH }}}%20-p%20wa%20-k%20logins%0A +{{% endif %}} mode: 0644 path: /etc/audit/rules.d/75-{{{ NAME }}}_login_events.rules overwrite: true From 3ee06e9cac2e903107b679f23719b4d2ee817f81 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 7 Dec 2023 18:32:19 +0100 Subject: [PATCH 2/3] Use the rule id for the path in Kubernetes remediation The '{{{ PATH }}}' now can point to a variable name. To avoid using the variable name as the file path, lets use the rule id, which is slightly more descriptive of what is being configured. --- shared/templates/audit_rules_login_events/kubernetes.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_login_events/kubernetes.template b/shared/templates/audit_rules_login_events/kubernetes.template index 25bb67fd7a9..59b61d361e2 100644 --- a/shared/templates/audit_rules_login_events/kubernetes.template +++ b/shared/templates/audit_rules_login_events/kubernetes.template @@ -18,5 +18,5 @@ spec: source: data:,-w%20{{{ PATH }}}%20-p%20wa%20-k%20logins%0A {{% endif %}} mode: 0644 - path: /etc/audit/rules.d/75-{{{ NAME }}}_login_events.rules + path: /etc/audit/rules.d/75-{{{ rule_id }}}.rules overwrite: true From 8e171779b1dc4107fca0c4ac7c02fdbb6f6bd26e Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 7 Dec 2023 12:42:57 -0600 Subject: [PATCH 3/3] Add e2e test for audit_rules_login_events_faillock We recently discovered that this rule regressed due to a change in the template. Let's add some e2e testing so that we test this on future patches. --- .../audit_rules_login_events_faillock/tests/ocp4/e2e.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml new file mode 100644 index 00000000000..77dda8f5fe7 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml @@ -0,0 +1,2 @@ +default_result: FAIL +result_after_remediation: PASS