Merge pull request #10326 from marcusburghardt/cis_audit

Refactor audit_rules_privileged_commands to include in CIS

controls/cis_rhel7.yml

@@ -1452,7 +1452,9 @@ controls:
     levels:
     - l2_server
     - l2_workstation
-    automated: no # we have audit_rules_privileged_commands, but it does not set perm=x
+    status: automated
+    rules:
+      - audit_rules_privileged_commands
 
   - id: 4.1.12
     title: Ensure successful file system mounts are collected (Automated)

controls/cis_rhel8.yml

@@ -1509,15 +1509,13 @@ controls:
     rules:
       - audit_rules_networkconfig_modification
 
-  # NEEDS RULE
   - id: 4.1.3.6
     title: Ensure use of privileged commands is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: planned
-    related_rules:
-      # The rule below is almost correct but cannot be used as it does not set the perm=x flag.
+    status: automated
+    rules:
       - audit_rules_privileged_commands
 
   - id: 4.1.3.7

controls/cis_rhel9.yml

@@ -1265,15 +1265,13 @@ controls:
     rules:
       - audit_rules_networkconfig_modification
 
-  # NEEDS RULE
   - id: 4.1.3.6
     title: Ensure use of privileged commands is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: planned
-    related_rules:
-      # The rule below is almost correct but cannot be used as it does not set the perm=x flag.
+    status: automated
+    rules:
       - audit_rules_privileged_commands
 
   - id: 4.1.3.7

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml

@@ -1,58 +1,63 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
-# strategy = restrict
+# strategy = configure
 # complexity = low
 # disruption = low
 
-- name: Search for privileged commands
-  shell: |
-    set -o pipefail
-    find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
-  args:
-    executable: /bin/bash
-  check_mode: no
-  register: find_result
+- name: {{{ rule_title }}} - Set List of Mount Points Which Permits Execution of Privileged Commands
+  ansible.builtin.set_fact:
+    privileged_mount_points: "{{(ansible_facts.mounts | rejectattr('options', 'search', 'noexec|nosuid') | map(attribute='mount') | list ) }}"
+
+- name: {{{ rule_title }}} - Search for Privileged Commands in Eligible Mount Points
+  ansible.builtin.shell:
+    cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null
+  register: result_privileged_commands_search
   changed_when: false
   failed_when: false
+  with_items: "{{ privileged_mount_points }}"
 
-# Inserts/replaces the rule in /etc/audit/rules.d
-
-- name: Search /etc/audit/rules.d for audit rule entries
-  find:
-    paths: "/etc/audit/rules.d"
-    recurse: no
-    contains: "^.*path={{ item }} .*$"
-    patterns: "*.rules"
-  with_items:
-    - "{{ find_result.stdout_lines }}"
-  register: files_result
+- name: {{{ rule_title }}} - Set List of Privileged Commands Found in Eligible Mount Points
+  ansible.builtin.set_fact:
+    privileged_commands: "{{( result_privileged_commands_search.results | map(attribute='stdout_lines') | select() | list )[-1] }}"
 
-- name: Overwrites the rule in rules.d
-  lineinfile:
-    path: "{{ item.1.path }}"
-    line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-    create: no
-    regexp: "^.*path={{ item.0.item }} .*$"
-  with_subelements:
-    - "{{ files_result.results }}"
-    - files
+- name: {{{ rule_title }}} - Privileged Commands are Present in the System
+  block:
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in augenrules Format
+      ansible.builtin.lineinfile:
+        path: /etc/audit/rules.d/privileged.rules
+        line: '-a always,exit -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.*path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
 
-- name: Adds the rule in rules.d
-  lineinfile:
-    path: /etc/audit/rules.d/privileged.rules
-    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-    create: yes
-  with_items:
-    - "{{ files_result.results }}"
-  when: files_result.results is defined and item.matched == 0
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in auditctl Format
+      ansible.builtin.lineinfile:
+        path: /etc/audit/audit.rules
+        line: '-a always,exit -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.*path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
 
-# Adds/overwrites the rule in /etc/audit/audit.rules
+    - name: {{{ rule_title }}} - Search for Duplicated Rules in Other Files
+      ansible.builtin.find:
+        paths: "/etc/audit/rules.d"
+        recurse: no
+        contains: "^-a always,exit -F path={{ item }} .*$"
+        patterns: "*.rules"
+      with_items:
+        - "{{ privileged_commands }}"
+      register: result_augenrules_files
 
-- name: Inserts/replaces the rule in audit.rules
-  lineinfile:
-    path: /etc/audit/audit.rules
-    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-    create: yes
-    regexp: "^.*path={{ item.item }} .*$"
-  with_items:
-    - "{{ files_result.results }}"
+    - name: {{{ rule_title }}} - Ensure Rules for Privileged Commands are Defined Only in One File
+      ansible.builtin.lineinfile:
+        path: "{{ item.1.path }}"
+        regexp: "^-a always,exit -F path={{ item.0.item }} .*$"
+        state: absent
+      with_subelements:
+        - "{{ result_augenrules_files.results }}"
+        - files
+      when:
+        - item.1.path != '/etc/audit/rules.d/privileged.rules'
+  when: privileged_commands is defined

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh

@@ -1,5 +1,23 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
 
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-{{{ bash_perform_audit_rules_privileged_commands_remediation("auditctl", auid) }}}
-{{{ bash_perform_audit_rules_privileged_commands_remediation("augenrules", auid) }}}
+ACTION_ARCH_FILTERS="-a always,exit"
+AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+
+FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }')
+for PARTITION in $PARTITIONS; do
+  PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
+  for PRIV_CMD in $PRIV_CMDS; do
+    OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
+    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+    {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+    {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+  done
+done