ComplianceAsCode · ggbecker · Jul 23, 2019 · Jul 18, 2019 · Jul 19, 2019 · Jul 22, 2019
diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
@@ -93,6 +93,7 @@ selections:
     - set_firewalld_default_zone
     - auditd_audispd_syslog_plugin_activated
     - auditd_audispd_configure_remote_server
+    - auditd_local_events
     - rsyslog_remote_loghost
     - auditd_audispd_encrypt_sent_records
     - login_banner_text=usgcb_default

diff --git a/linux_os/guide/system/auditing/auditd_local_events/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_local_events/ansible/shared.yml
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_auditd_set(
+   parameter="local_events",
+   value="yes"
+)
+}}}
diff --git a/linux_os/guide/system/auditing/auditd_local_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_local_events/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+auditd_config_set "local_events" "yes"
diff --git a/linux_os/guide/system/auditing/auditd_local_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_local_events/oval/shared.xml
@@ -0,0 +1,7 @@
+{{{
+oval_auditd_config(
+    parameter="local_events",
+    value="yes",
+    missing_parameter_pass=true
+    )
+}}}
diff --git a/linux_os/guide/system/auditing/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/auditd_local_events/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Include Local Events in Audit Logs'
+
+description: |-
+    To configure Audit daemon to include local events in Audit logs, set
+    <tt>local_events</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.
+    This is the default setting.
+
+rationale: |-
+    If local <tt>local_events</tt> isn't set to <tt>yes</tt> only events from
+    network will be aggregated.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82233-8
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+ocil_clause: local_events isn't set to yes
+
+ocil: |-
+    To verify that Audit Daemon is configured to include local events, run the
+    following command:
+    <pre>$ sudo grep local_events /etc/audit/auditd.conf</pre>
+    The output should return the follwoing:
+    <pre>local_events = yes</pre>
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
@@ -702,7 +702,8 @@ selections:
     ## Audit Configuration
     #################################################################
 
-    # TODO: local_events=YES
+    ## RHEL 8 CCE-82233-8: Include Local Events in Audit Logs
+    - auditd_local_events
 
     # TODO: write_logs=YES
 

diff --git a/shared/bash_remediation_functions/include_lineinfile.sh b/shared/bash_remediation_functions/include_lineinfile.sh
@@ -143,3 +143,10 @@ function sshd_config_set() {
 
     set_config_file "/etc/ssh/sshd_config" "$parameter" "$value" "yes" '' '^Match' 'true'
 }
+
+function auditd_config_set() {
+    local parameter="$1"
+    local value="$2"
+
+    set_config_file "/etc/audit/auditd.conf" "$parameter" "$value" "true" "" "" "true" " = " "\s*=\s*"
+}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
@@ -162,3 +162,14 @@
 {{%- macro ansible_etc_profile_set(msg='', parameter='', value='') %}}
 {{{ ansible_set_config_file_dir(msg, "/etc/profile", "/etc/profile.d", "/etc/profile", parameter, separator='=', separator_regex='=', value=value, create='yes', validate="bash -n %s") }}}
 {{%- endmacro %}}
+
+{{#
+  High level macro to set a command in auditd configuration file /etc/audit/auditd.conf.
+  Parameters:
+  - msg: the name for the Ansible task
+  - parameter: parameter to be set in the configuration file
+  - value: value of the parameter
+#}}
+{{%- macro ansible_auditd_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/audit/auditd.conf", parameter=parameter, value=value, create="yes", separator=" = ", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
@@ -206,6 +206,20 @@
 {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[\s]*(?i)", parameter=parameter, separator_regex='(?-i)[\s]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
 {{%- endmacro %}}
 
+{{#
+  High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
+  This function can take five parameters:
+    - parameter (String): The parameter to be checked in the configuration file.
+    - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+    - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+    - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+
+#}}
+{{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^\s*", parameter=parameter, separator_regex='\s*=\s*', value=value, missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
+{{%- endmacro %}}
+
 {{#
   High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
   This function can take five parameters:

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -50,7 +50,6 @@ CCE-82229-6
 CCE-82230-4
 CCE-82231-2
 CCE-82232-0
-CCE-82233-8
 CCE-82234-6
 CCE-82235-3
 CCE-82236-1

diff --git a/tests/data/group_system/group_auditing/rule_auditd_local_events/commented.pass.sh b/tests/data/group_system/group_auditing/rule_auditd_local_events/commented.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+echo "#local_events = yes" > "/etc/audit/auditd.conf"
diff --git a/tests/data/group_system/group_auditing/rule_auditd_local_events/correct_value.pass.sh b/tests/data/group_system/group_auditing/rule_auditd_local_events/correct_value.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+echo "local_events = yes" > "/etc/audit/auditd.conf"
diff --git a/tests/data/group_system/group_auditing/rule_auditd_local_events/missing_file.pass.sh b/tests/data/group_system/group_auditing/rule_auditd_local_events/missing_file.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+rm -f "/etc/audit/auditd.conf"
diff --git a/tests/data/group_system/group_auditing/rule_auditd_local_events/missing_value.pass.sh b/tests/data/group_system/group_auditing/rule_auditd_local_events/missing_value.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+sed -i "/local_events/d" "/etc/audit/auditd.conf"
diff --git a/tests/data/group_system/group_auditing/rule_auditd_local_events/wrong_value.fail.sh b/tests/data/group_system/group_auditing/rule_auditd_local_events/wrong_value.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+echo "local_events = no" > "/etc/audit/auditd.conf"