Merge pull request #4706 from adelton/auditd-remove-watches

Remove watches since syscall rules cover all cases.

fedora/profiles/ospp.profile

@@ -200,9 +200,6 @@ selections:
     - rsyslog_cron_logging
     - audit_rules_kernel_module_loading_delete
     - audit_rules_kernel_module_loading_init
-    - audit_rules_kernel_module_loading_insmod
-    - audit_rules_kernel_module_loading_modprobe
-    - audit_rules_kernel_module_loading_rmmod
     - audit_rules_etc_passwd_open
     - audit_rules_etc_passwd_openat
     - audit_rules_etc_passwd_open_by_handle_at

fedora/profiles/pci-dss.profile

@@ -70,9 +70,6 @@ selections:
     - audit_rules_kernel_module_loading_delete
     - audit_rules_kernel_module_loading_finit
     - audit_rules_kernel_module_loading_init
-    - audit_rules_kernel_module_loading_insmod
-    - audit_rules_kernel_module_loading_modprobe
-    - audit_rules_kernel_module_loading_rmmod
     - audit_rules_immutable
     - var_multiple_time_servers=rhel
     - service_chronyd_or_ntpd_enabled

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh

@@ -25,12 +25,3 @@ do
         fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
         fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
 done
-
-# Then perform the remediations for the watch rules
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules"
-fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules"
-fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules"
-fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules"
-fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules"
-fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules"

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml

@@ -10,9 +10,6 @@
       <description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
     </metadata>
     <criteria operator="AND">
-      <extend_definition comment="audit insmod" definition_ref="audit_rules_kernel_module_loading_insmod" />
-      <extend_definition comment="audit rmmod" definition_ref="audit_rules_kernel_module_loading_rmmod" />
-      <extend_definition comment="audit modprobe" definition_ref="audit_rules_kernel_module_loading_modprobe" />
       <extend_definition comment="audit init_module" definition_ref="audit_rules_kernel_module_loading_init" />
       <extend_definition comment="audit delete_module" definition_ref="audit_rules_kernel_module_loading_delete" />
 {{% if product != "rhel6" %}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml

@@ -6,9 +6,6 @@ description: |-
     To capture kernel module loading and unloading events, use following lines, setting ARCH to
     either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
     <pre>
-    -w /usr/sbin/insmod -p x -k modules
-    -w /usr/sbin/rmmod -p x -k modules
-    -w /usr/sbin/modprobe -p x -k modules
 {{% if product == "rhel6" %}}
     -a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules
 {{% else %}}
@@ -59,15 +56,3 @@ ocil: |-
     {{{ ocil_audit_syscall(syscall="delete_module") }}}
 
 {{{ ocil_clause_entry_audit_syscall() }}}
-
-warnings:
-    - general: |-
-        This rule checks for multiple syscalls related to kernel module loading and unloading;
-        it was written with DISA STIG in mind. Other policies should use a
-        separate rule for each syscall that needs to be checked. For example:
-        <ul>
-        <li><tt>audit_rules_kernel_module_loading_insmod</tt></li>
-        <li><tt>audit_rules_kernel_module_loading_rmmod</tt></li>
-        <li><tt>audit_rules_kernel_module_loading_modprobe</tt></li>
-        </ul>
-

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml

@@ -31,6 +31,7 @@ references:
     cis: 5.2.17
     cui: 3.1.7
     disa: "172"
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c