From d1a6f6d2b854de835b9cf5adcfa0a9fc6696f4ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Jan 2025 10:27:20 +0000 Subject: [PATCH 1/8] Updated arm discovery Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index c1fd66e..d784dc1 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "arm64" + when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64") ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 @@ -24,7 +24,7 @@ - name: Pre Audit Setup | Copy audit binary when: get_audit_binary_method == 'copy' ansible.builtin.copy: - src: "{{ audit_bin_copy_location }}" + src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root From c178cba7bc68031f460303fe836e74d89e36827c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Jan 2025 13:53:58 +0000 Subject: [PATCH 2/8] Updated comments Signed-off-by: Mark Bolwell --- vars/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 93439ad..c1d0fb3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,9 +24,11 @@ warn_count: 0 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" -## Control 6.3.3.x - Audit template -# This variable governs if the auditd logic should be executed(if value is true). -# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). +## Controls 6.3.3.x - Audit template +# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above +# to `false`. update_audit_template: false # Defaults From ed1a209635b724b76e96143351559252e5c9cb1f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Jan 2025 13:54:13 +0000 Subject: [PATCH 3/8] Updated audit rules for arch Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 19 +++- templates/audit/99_auditd.rules.j2 | 135 ++++++++++++++++++++++++----- 2 files changed, 129 insertions(+), 25 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7022e2c..7b86b94 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,17 +1,30 @@ --- -- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file +# Since auditd rules are dependent on syscalls and syscall tables are architecture specific, +# we need to update the auditd rules depending on the architecture of the system. +# This task passed the syscalls table to the auditd template and updates the auditd rules + +- name: "POST | AUDITD | Set supported_syscalls variable" + ansible.builtin.shell: ausyscall --dump | awk '{print $2}' + changed_when: false + failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] + register: discovered_auditd_syscalls + +- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules register: discovered_auditd_rules_file -- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file +- name: POST | Apply auditd template for section 6.3.3.x + when: update_audit_template + vars: + supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}" ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: '0640' + mode: 'u-x,go-wx' diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file register: discovered_auditd_rules_template_updated notify: diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index e977e4e..cb12736 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -9,20 +9,40 @@ -w /etc/sudoers.d -p wa -k scope {% endif %} {% if rhel9cis_rule_6_3_3_2 %} --a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation --a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation +{% set syscalls = ["execve"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} {% if rhel9cis_rule_6_3_3_3 %} -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} {% if rhel9cis_rule_6_3_3_4 %} --a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change -w /etc/localtime -p wa -k time-change {% endif %} {% if rhel9cis_rule_6_3_3_5 %} --a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale --a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale +{% set syscalls = ["sethostname","setdomainname"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale @@ -35,10 +55,17 @@ {% endfor %} {% endif %} {% if rhel9cis_rule_6_3_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_6_3_3_8 %} -w /etc/group -p wa -k identity @@ -51,16 +78,66 @@ -w /etc/pam.d -p wa -k identity {% endif %} {% if rhel9cis_rule_6_3_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% endif %} {% if rhel9cis_rule_6_3_3_10 %} --a always,exit -F arch=b32 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts +{% set syscalls = ["mount"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts +{% endif %} {% endif %} {% if rhel9cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session @@ -72,8 +149,15 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if rhel9cis_rule_6_3_3_13 %} --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete --a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete +{% set syscalls = ["unlink","unlinkat","rename","renameat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete {% endif %} {% if rhel9cis_rule_6_3_3_14 %} -w /etc/selinux -p wa -k MAC-policy @@ -92,8 +176,15 @@ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_6_3_3_19 %} --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules +{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules {% endif %} {% if rhel9cis_rule_6_3_3_20 %} -e 2 From 91699576985e103d8c03d94d4a0b58038da010b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Jan 2025 14:22:24 +0000 Subject: [PATCH 4/8] Updated template Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index cb12736..c162bc0 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -138,7 +138,6 @@ -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts {% endif %} -{% endif %} {% if rhel9cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session From b9a4503558a966af2fde6d517cca7a2f500aede5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 Jan 2025 10:19:42 +0000 Subject: [PATCH 5/8] Updated and tested rules Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 58 +++++++++++++++--------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c162bc0..b9e632c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -11,11 +11,11 @@ {% if rhel9cis_rule_6_3_3_2 %} {% set syscalls = ["execve"] %} {% set arch_syscalls = [] %} -{% for syscall in syscalls %} +{%- for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} -{% endfor %} +{% endfor -%} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} @@ -26,7 +26,7 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change @@ -38,7 +38,7 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale @@ -59,13 +59,13 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_6_3_3_8 %} -w /etc/group -p wa -k identity @@ -82,61 +82,61 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% endif %} {% if rhel9cis_rule_6_3_3_10 %} {% set syscalls = ["mount"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel9cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session @@ -155,8 +155,8 @@ {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete {% endif %} {% if rhel9cis_rule_6_3_3_14 %} -w /etc/selinux -p wa -k MAC-policy @@ -175,7 +175,7 @@ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_6_3_3_19 %} --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} @@ -183,7 +183,7 @@ {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_6_3_3_20 %} -e 2 From fecfb7e79384aaf4caeaf3c4a7cc078e30bad690 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 Jan 2025 12:40:52 +0000 Subject: [PATCH 6/8] addressed issue #282 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.3.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 8fe6036..9daf71a 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -69,7 +69,7 @@ - pam block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" - ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth + ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth register: discovered_pwhistory_use_authtok changed_when: false failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] @@ -81,9 +81,9 @@ - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "{{ item }}" - regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) - line: '\1\2 use_authtok' - backrefs: true + regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok) + line: password required pam_pwhistory.so use_authtok + insertbefore: ^password.*pam_deny.so loop: - /etc/pam.d/password-auth - /etc/pam.d/system-auth From e121cb4992c1bae9f7fffef8113cb51fe100539c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 Jan 2025 15:34:30 +0000 Subject: [PATCH 7/8] Fix quoting Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index ef84113..eadb9b5 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -95,7 +95,7 @@ loop: - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account required pam_faillock.so } + - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth" when: not rhel9cis_allow_authselect_updates @@ -108,7 +108,7 @@ loop: - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account required pam_faillock.so } + - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: From 761f8517c42f7ad3a23ba9106e23b95c25402b87 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 Jan 2025 15:34:42 +0000 Subject: [PATCH 8/8] fix spacing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.1.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 19e1c44..1730521 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -24,7 +24,7 @@ ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) - replace: \1\2\3 + replace: \1 \2\3 loop: - password - system @@ -126,4 +126,3 @@ loop: - password - system - notify: Authselect update