Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events

[jan-cerny]

The rule audit_rules_login_events depends on rule audit_rules_login_events_faillock, the OVAL check from audit_rules_login_events_faillock is reused as extend_definition in audit_rules_login_events. But, the rule
audit_rules_login_events_faillock recently changed in 5304dcb to use the XCCDF value var_accounts_passwords_pam_faillock_dir in the rule which also changed the OVAL check in this rule which affects audit_rules_login_events as well. But, audit_rules_login_events wasn't updated. In this patch, we will update audit_rules_login_events to use
var_accounts_passwords_pam_faillock_dir in audit_rules_login_events in a similar way to audit_rules_login_events_faillock. As a consequence, we also need to explicitly set the value of the variable in RHEL 7 profiles where the default variable can't be used to make sure the correct path is used.

Fixes: #11102

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events
@@ -10,14 +10,14 @@
 directory /etc/audit/rules.d in order to watch for attempted manual
 edits of files involved in storing logon events:
 -w /var/log/tallylog -p wa -k logins
--w /var/log/faillock -p wa -k logins
+-w 'xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir' -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file in order to watch for unattempted manual
 edits of files involved in storing logon events:
 -w /var/log/tallylog -p wa -k logins
--w /var/log/faillock -p wa -k logins
+-w 'xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir' -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 
 [warning]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events
@@ -2,6 +2,9 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+var_accounts_passwords_pam_faillock_dir=''
+
 
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
@@ -159,36 +162,36 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -207,7 +210,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -236,36 +239,36 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
     fi
 done
 

[codeclimate]

Code Climate has analyzed commit 9305bd2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

[jan-cerny]

The Automatus fail on SLES seems to be unrelated to this PR and will be fixed by #11111.

[marcusburghardt]

The rule was successfully tested in my local VMs. Thanks for this update.