Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6802 from brett060102/SLES-15-030390
SLES-15-030390 add rule, remediation and test
- Loading branch information
Showing
6 changed files
with
106 additions
and
0 deletions.
There are no files selected for viewing
8 changes: 8 additions & 0 deletions
8
..._rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# platform = multi_platform_sle | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
{{{ ansible_audit_augenrules_add_watch_rule(path='/sbin/rmmod', permissions='x', key='modules') }}} | ||
{{{ ansible_audit_auditctl_add_watch_rule(path='/sbin/rmmod', permissions='x', key='modules') }}} |
39 changes: 39 additions & 0 deletions
39
...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
<def-group> | ||
<definition class="compliance" id="audit_rules_privileged_commands_rmmod" version="1"> | ||
{{{ oval_metadata("Ensure audit rule for all uses of the rmmod command is enabled.") }}} | ||
|
||
<criteria operator="OR"> | ||
|
||
<!-- Test the augenrules case --> | ||
<criteria operator="AND"> | ||
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" /> | ||
<criterion comment="audit augenrules rmmod" test_ref="test_rmmod_augenrules" /> | ||
</criteria> | ||
|
||
<!-- Test the auditctl case --> | ||
<criteria operator="AND"> | ||
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" /> | ||
<criterion comment="audit auditctl rmmod" test_ref="test_rmmod_auditctl" /> | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules rmmod" id="test_rmmod_augenrules" version="1"> | ||
<ind:object object_ref="object_rmmod_augenrules" /> | ||
</ind:textfilecontent54_test> | ||
<ind:textfilecontent54_object id="object_rmmod_augenrules" version="1"> | ||
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath> | ||
<ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern> | ||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl rmmod" id="test_rmmod_auditctl" version="1"> | ||
<ind:object object_ref="object_rmmod_auditctl" /> | ||
</ind:textfilecontent54_test> | ||
<ind:textfilecontent54_object id="object_rmmod_auditctl" version="1"> | ||
<ind:filepath>/etc/audit/audit.rules</ind:filepath> | ||
<ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern> | ||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
</def-group> |
49 changes: 49 additions & 0 deletions
49
..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
documentation_complete: true | ||
|
||
prodtype: sle15 | ||
|
||
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' | ||
|
||
description: |- | ||
At a minimum, the audit system should collect the execution of | ||
privileged commands for all users and root. If the <tt>auditd</tt> daemon is | ||
configured to use the <tt>augenrules</tt> program to read audit rules during | ||
daemon startup (the default), add a line of the following form to a file with | ||
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>: | ||
<pre>-w /sbin/rmmod -p x -k modules</pre> | ||
rationale: |- | ||
Misuse of privileged functions, either intentionally or unintentionally by | ||
authorized users, or by unauthorized external entities that have compromised system accounts, | ||
is a serious and ongoing concern and can have significant adverse impacts on organizations. | ||
Auditing the use of privileged functions is one way to detect such misuse and identify | ||
the risk from insider and advanced persistent threats. | ||
<br /><br /> | ||
Privileged programs are subject to escalation-of-privilege attacks, | ||
which attempt to subvert their normal role of providing some necessary but | ||
limited capability. As such, motivation exists to monitor these programs for | ||
unusual activity. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@sle15: CCE-85732-6 | ||
|
||
references: | ||
disa@sle15: CCI-000130,CCI-000169,CCI-000172,CCI-002884 | ||
nist@sle15: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) | ||
srg@sle15: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 | ||
stigid@sle15: SLES-15-030390 | ||
|
||
ocil_clause: 'it is not the case' | ||
|
||
ocil: |- | ||
To verify that auditing of privileged command use is configured, run the | ||
following command: | ||
<pre> | ||
sudo auditctl -l | grep -w '/sbin/rmmod' | ||
</pre> | ||
If the system is configured to audit the execution of the module management program "rmmod", | ||
the command will return a line. | ||
platform: machine |
3 changes: 3 additions & 0 deletions
3
...dit_privileged_commands/audit_rules_privileged_commands_rmmod/tests/correct_rules.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
|
||
echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/rules.d/modules.rules |
6 changes: 6 additions & 0 deletions
6
...t_privileged_commands/audit_rules_privileged_commands_rmmod/tests/rules_not_there.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
|
||
rm -f /etc/audit/rules.d/* | ||
> /etc/audit/audit.rules | ||
true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters