From 92e78825d2e80cfb81f8eca0956f891ca63d920c Mon Sep 17 00:00:00 2001 From: Dexter Le Date: Wed, 2 Aug 2023 20:42:21 +0000 Subject: [PATCH] Fix UBTU-20-010179 to use proper parameters and key This commit will fix the init_module and finit_module for UBTU-20-010179 which will apply proper parameters and keys. --- .../ansible/shared.yml | 4 ++-- .../bash/shared.sh | 2 +- .../oval/shared.xml | 8 ++++---- .../audit_rules_kernel_module_loading_finit/rule.yml | 6 +++--- .../ansible/shared.yml | 4 ++-- .../audit_rules_kernel_module_loading_init/bash/shared.sh | 2 +- .../oval/shared.xml | 8 ++++---- .../audit_rules_kernel_module_loading_init/rule.yml | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 104426d890b..ced862e88a8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -1,10 +1,10 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # complexity = low # disruption = low # strategy = configure -{{% if "ol" in product or 'rhel' in product %}} +{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} {{% else %}} {{% set auid_filters = "" %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh index 4090ce42739..02687799b89 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh @@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" {{% else %}} AUID_FILTERS="" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml index 60f21b5b6ad..f432be0cf15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml @@ -36,7 +36,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -49,7 +49,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -62,7 +62,7 @@ /etc/audit/audit.rules - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -75,7 +75,7 @@ /etc/audit/audit.rules - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 399e3d9168c..4166e059725 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -9,7 +9,7 @@ description: |- to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} 
-a always,exit -F arch=ARCH -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
{{% else %}} 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
@@ -17,7 +17,7 @@ description: |- rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} 
-a always,exit -F arch=ARCH -S finit_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
{{% else %}} 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
@@ -65,7 +65,7 @@ references: stigid@rhel8: RHEL-08-030360 stigid@sle12: SLES-12-020740 stigid@sle15: SLES-15-030530 - stigid@ubuntu2004: UBTU-20-010180 + stigid@ubuntu2004: UBTU-20-010179 {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index c4915eac13d..ac24d2e2dc5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -1,10 +1,10 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu # reboot = false # complexity = low # disruption = low # strategy = configure -{{% if "ol" in product or 'rhel' in product %}} +{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} {{% else %}} {{% set auid_filters = "" %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh index 69469d3e16c..6dd02945292 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh @@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" {{% else %}} AUID_FILTERS="" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml index 0480265bdd4..8f8f72bca1c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml @@ -36,7 +36,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -49,7 +49,7 @@ ^/etc/audit/rules\.d/.*\.rules$ - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -62,7 +62,7 @@ /etc/audit/audit.rules - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -75,7 +75,7 @@ /etc/audit/audit.rules - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ {{% else %}} ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 8427a3e35be..8514acdd103 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -7,7 +7,7 @@ title: 'Ensure auditd Collects Information on Kernel Module Loading - init_modul description: |- To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - {{% if "ol" in product or 'rhel' in product %}} + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} 
-a always,exit -F arch=ARCH -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules
{{% else %}} 
-a always,exit -F arch=ARCH -S init_module -F key=modules