From ed4ee93ce864c21f205af62145969acce41e02e7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 19 Jul 2023 14:38:35 +0200
Subject: [PATCH] Fix Kubernetes remediation of audit_create_failed

---
 .../audit_create_failed/kubernetes/shared.yml | 38 +++++++++++--------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/kubernetes/shared.yml
index 981a0c86184..5f5c1f15ac0 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/kubernetes/shared.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/kubernetes/shared.yml
@@ -1,15 +1,23 @@
----
-# platform = multi_platform_rhel,multi_platform_fedora
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A%23%23%20/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B0100%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B0100%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B0100%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B0100%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B0100%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B0100%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B0100%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B0100%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules 
-        overwrite: true
+# platform = multi_platform_ocp,multi_platform_rhcos
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+#
+{{% macro file_contents_audit_create_failed() -%}}
+## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccessful-create
+{{% endmacro %}}
+{{{ kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules', file_permissions_mode='0600', source=file_contents_audit_create_failed()) }}}
+