Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' #6826

Merged
merged 7 commits into from
Apr 20, 2021
Merged

SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' #6826

merged 7 commits into from
Apr 20, 2021

Conversation

yarunachalam
Copy link
Contributor

Description:

  • SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2'

Rationale:

'Record Unsuccessul Delete Attempts to Files - renameat2'

@openscap-ci
Copy link
Collaborator

Can one of the admins verify this patch?

1 similar comment
@openscap-ci
Copy link
Collaborator

Can one of the admins verify this patch?

@openshift-ci-robot
Copy link
Collaborator

Hi @yarunachalam. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the needs-ok-to-test Used by openshift-ci bot. label Apr 12, 2021
@vojtapolasek vojtapolasek self-assigned this Apr 15, 2021
vojtapolasek
vojtapolasek requested changes Apr 19, 2021
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the new rule, please see review comments.

..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml
to the same event is more efficient. See the following example:
<pre>-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,renameat2 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-delete</pre>

template:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this template has hardcoded a different audit rule key. It adds

-F key=access

at the end istead of

-F key=unsuccessful-delete

which is specified in your rule description.
It depends if it is a problem for you as keys can be arbitrary values, they are more for humans than for computers.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vojtapolasek The key difference is not an issue. Our rule notes that the key maybe different and looking at other rules that use this template I saw that in most cases the keys in the description were not access.

tests/shared/audit/30-ospp-v42-4-delete-failed.rules Outdated Show resolved Hide resolved
tests/shared/audit/30-ospp-v42-4-delete-success.rules Outdated Show resolved Hide resolved
@vojtapolasek
Copy link
Collaborator

Also you use CCE which is already used. It currently is in:

  • linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
  • linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml

@yarunachalam
Update 30-ospp-v42-4-delete-failed.rules
6c9128a 
Removed renmeat2 changes
@yarunachalam
Update 30-ospp-v42-4-delete-success.rules
a80962b 
Removed renmeat2 changes
@yarunachalam
Delete e2e.yml
49a9a0b 
Test only applied for Red Hat not for SLE. Removed e2e.yml
@yarunachalam
Update rule.yml
34afdc8 
Fixed cce id CCE-85726-8
@yarunachalam
Copy link
Contributor Author

thanks, cce id fixed. still working on test.

brett060102
brett060102 reviewed Apr 19, 2021
View reviewed changes
Copy link
Contributor

@brett060102 brett060102 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vojtapolasek I think that @yarunachalam has covered what needed to be corrected.

@vojtapolasek
Copy link
Collaborator

Thank you, now it looks good.

@vojtapolasek
Copy link
Collaborator

@openscap-ci test this please

@ggbecker
Copy link
Member

@openscap-ci add to whitelist

@openscap-ci
Copy link
Collaborator

Changes identified:
Profiles:
 stig on sle15

Show details

Profile stig on sle15:
 Rule audit_rules_unsuccessful_file_modification_renameat2 added to stig profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml stig

@vojtapolasek vojtapolasek merged commit 09a330e into ComplianceAsCode:master Apr 20, 2021
@yuumasato yuumasato added this to the 0.1.56 milestone Apr 20, 2021
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brett060102 brett060102 brett060102 left review comments

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
needs-ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
0.1.56
Development

Successfully merging this pull request may close these issues.
7 participants
@yarunachalam @openscap-ci @openshift-ci-robot @vojtapolasek @ggbecker @brett060102 @yuumasato