Merge pull request #6802 from brett060102/SLES-15-030390

SLES-15-030390 add rule, remediation and test

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml

@@ -0,0 +1,8 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path='/sbin/rmmod', permissions='x', key='modules') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/sbin/rmmod', permissions='x', key='modules') }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/oval/shared.xml

@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_privileged_commands_rmmod" version="1">
+    {{{ oval_metadata("Ensure audit rule for all uses of the rmmod command is enabled.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules rmmod" test_ref="test_rmmod_augenrules" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl rmmod" test_ref="test_rmmod_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules rmmod" id="test_rmmod_augenrules" version="1">
+    <ind:object object_ref="object_rmmod_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_rmmod_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl rmmod" id="test_rmmod_auditctl" version="1">
+    <ind:object object_ref="object_rmmod_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_rmmod_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml

@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod'
+
+description: |-
+    At a minimum, the audit system should collect the execution of
+    privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+    configured to use the <tt>augenrules</tt> program to read audit rules during
+    daemon startup (the default), add a line of the following form to a file with
+    suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /sbin/rmmod -p x -k modules</pre>
+
+rationale: |-
+    Misuse of privileged functions, either intentionally or unintentionally by
+    authorized users, or by unauthorized external entities that have compromised system accounts,
+    is a serious and ongoing concern and can have significant adverse impacts on organizations.
+    Auditing the use of privileged functions is one way to detect such misuse and identify
+    the risk from insider and advanced persistent threats.
+    <br /><br />
+    Privileged programs are subject to escalation-of-privilege attacks,
+    which attempt to subvert their normal role of providing some necessary but
+    limited capability. As such, motivation exists to monitor these programs for
+    unusual activity.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-85732-6
+
+references:
+    disa@sle15: CCI-000130,CCI-000169,CCI-000172,CCI-002884
+    nist@sle15: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a)
+    srg@sle15: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    stigid@sle15: SLES-15-030390
+
+ocil_clause: 'it is not the case'
+
+ocil: |-
+    To verify that auditing of privileged command use is configured, run the
+    following command:
+    <pre>
+       sudo auditctl -l | grep -w '/sbin/rmmod'
+    </pre>
+    If the system is configured to audit the execution of the module management program "rmmod",
+    the command will return a line.
+
+platform: machine

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/tests/correct_rules.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/rules.d/modules.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/tests/rules_not_there.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true

sle15/profiles/stig.profile

@@ -110,6 +110,7 @@ selections:
     - audit_rules_privileged_commands_pam_timestamp_check
     - audit_rules_privileged_commands_passmass
     - audit_rules_privileged_commands_passwd
+    - audit_rules_privileged_commands_rmmod
     - audit_rules_privileged_commands_ssh_agent
     - audit_rules_privileged_commands_ssh_keysign
     - audit_rules_privileged_commands_su