From dcbf825f99b6757a153b4785ba619ceee9806314 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 2 Jun 2023 14:11:53 +0200 Subject: [PATCH] SRG-APP-000029-CTR-000085: Audit execution of all setuid and setgid binaries on RHCOS4 --- components/audit.yml | 11 +++++ .../srg_ctr/SRG-APP-000029-CTR-000085.yml | 30 +++++++++--- .../rule.yml | 4 +- .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 4 +- .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 4 +- .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../policy/stig/shared.yml | 27 +++++++++++ .../rule.yml | 48 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- shared/references/cce-redhat-avail.txt | 11 ----- 46 files changed, 913 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/tests/ocp4/e2e.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/policy/stig/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/tests/ocp4/e2e.yml diff --git a/components/audit.yml b/components/audit.yml index fe073ef17fb4..fd3f683e5382 100644 --- a/components/audit.yml +++ b/components/audit.yml @@ -134,22 +134,33 @@ rules: - audit_rules_privileged_commands_chfn - audit_rules_privileged_commands_chsh - audit_rules_privileged_commands_crontab +- audit_rules_privileged_commands_dbus_daemon_launch_helper - audit_rules_privileged_commands_fdisk +- audit_rules_privileged_commands_fusermount +- audit_rules_privileged_commands_fusermount3 - audit_rules_privileged_commands_gpasswd +- audit_rules_privileged_commands_grub2_set_bootflag - audit_rules_privileged_commands_insmod - audit_rules_privileged_commands_kmod - audit_rules_privileged_commands_modprobe - audit_rules_privileged_commands_mount +- audit_rules_privileged_commands_mount_nfs - audit_rules_privileged_commands_newgidmap - audit_rules_privileged_commands_newgrp - audit_rules_privileged_commands_newuidmap - audit_rules_privileged_commands_pam_timestamp_check - audit_rules_privileged_commands_passmass - audit_rules_privileged_commands_passwd +- audit_rules_privileged_commands_pkexec +- audit_rules_privileged_commands_polkit_helper - audit_rules_privileged_commands_postdrop - audit_rules_privileged_commands_postqueue - audit_rules_privileged_commands_pt_chown - audit_rules_privileged_commands_rmmod +- audit_rules_privileged_commands_sssd_krb5_child +- audit_rules_privileged_commands_sssd_ldap_child +- audit_rules_privileged_commands_sssd_proxy_child +- audit_rules_privileged_commands_sssd_selinux_child - audit_rules_privileged_commands_ssh_agent - audit_rules_privileged_commands_ssh_keysign - audit_rules_privileged_commands_su diff --git a/controls/srg_ctr/SRG-APP-000029-CTR-000085.yml b/controls/srg_ctr/SRG-APP-000029-CTR-000085.yml index 8c159f1aca2c..9807aa2e5474 100644 --- a/controls/srg_ctr/SRG-APP-000029-CTR-000085.yml +++ b/controls/srg_ctr/SRG-APP-000029-CTR-000085.yml @@ -7,9 +7,27 @@ controls: - idp_is_configured - ocp_idp_no_htpasswd - kubeadmin_removed - status: not applicable - status_justification: |- - Not Applicable. Applicable to Identity Management Provider and not - OCP. Only configurable check is to ensure OCP is configured for an - IDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider - admins that the IdM meets the requirements. + rules: + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_dbus_daemon_launch_helper + - audit_rules_privileged_commands_fusermount + - audit_rules_privileged_commands_fusermount3 + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_grub2_set_bootflag + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_mount_nfs + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_sssd_krb5_child + - audit_rules_privileged_commands_sssd_ldap_child + - audit_rules_privileged_commands_sssd_proxy_child + - audit_rules_privileged_commands_sssd_selinux_child + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_polkit_helper + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_unix_chkpwd + status: automated + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index 0098cb71b99e..bc240650eeef 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -57,7 +57,7 @@ references: nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3 nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030660 stigid@ol8: OL08-00-030250 stigid@rhel7: RHEL-07-030660 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/policy/stig/shared.yml new file mode 100644 index 000000000000..79eaac7362c5 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/libexec/dbus-1/dbus-daemon-launch-helper command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/dbus-1/dbus-daemon-launch-helper" command with the following command: + + $ sudo auditctl -l | grep /usr/libexec/dbus-1/dbus-daemon-launch-helper + + -a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "polkit-agent-helper" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml new file mode 100644 index 000000000000..ac8b4c104b8b --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - dbus helper' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-87183-0 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/libexec/dbus-1/dbus-daemon-launch-helper-1") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/policy/stig/shared.yml new file mode 100644 index 000000000000..22b2b7a55930 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the fusermount command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount" command with the following command: + + $ sudo auditctl -l | grep fusermount + + -a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml new file mode 100644 index 000000000000..329e483772d6 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-86210-2 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("fusermount") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/bin/fusermount diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/policy/stig/shared.yml new file mode 100644 index 000000000000..0a960d43e584 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the fusermount3 command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount3" command with the following command: + + $ sudo auditctl -l | grep fusermount3 + + -a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount3 + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount3" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid>=1000 -F auid!=unset -k privileged-fusermount3 + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml new file mode 100644 index 000000000000..6ac08b082086 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount3' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-86676-4 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("fusermount3") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/bin/fusermount3 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 022da6362332..347eaee25df5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -58,7 +58,7 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030650 stigid@ol8: OL08-00-030370 stigid@rhel7: RHEL-07-030650 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/policy/stig/shared.yml new file mode 100644 index 000000000000..7645306cb81f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/sbin/grub2-set-bootflag command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/sbin/grub2-set-bootflag" command with the following command: + + $ sudo auditctl -l | grep /usr/sbin/grub2-set-bootflag + + -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/sbin/grub2-set-bootflag" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml new file mode 100644 index 000000000000..0b7ad4110ab0 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - grub2_set_bootflag' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/sbin/grub2-set-bootflag {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path= /usr/sbin/grub2-set-bootflag{{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-90740-2 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/sbin/grub2-set-bootflag") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/sbin/grub2-set-bootflag diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index c333646326a7..602518ad8266 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -47,7 +47,7 @@ references: disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030740 stigid@ol8: OL08-00-030300 stigid@rhel7: RHEL-07-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/policy/stig/shared.yml new file mode 100644 index 000000000000..46dbdc81879d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/sbin/mount.nfs command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/sbin/mount.nfs" command with the following command: + + $ sudo auditctl -l | grep /usr/sbin/mount.nfs + + -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/sbin/mount.nfs" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml new file mode 100644 index 000000000000..3c645c96cbda --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount.nfs' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/sbin/mount.nfs {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path= /usr/sbin/mount.nfs perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-87425-5 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/sbin/mount.nfs")}}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/sbin/mount.nfs diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 30759588d9d4..59b4dcfbbac3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -58,7 +58,7 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030710 stigid@ol8: OL08-00-030350 stigid@rhel7: RHEL-07-030710 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index 81af3f9cfe5f..0bda87b7d55e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -62,7 +62,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030810 stigid@ol8: OL08-00-030340 stigid@rhel7: RHEL-07-030810 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 0e9d10b92fa4..19b6623a7ae6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -55,7 +55,7 @@ references: nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030630 stigid@ol8: OL08-00-030290 stigid@rhel7: RHEL-07-030630 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/policy/stig/shared.yml new file mode 100644 index 000000000000..30e09a0d6712 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the pkexec command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "pkexec" command with the following command: + + $ sudo auditctl -l | grep pkexec + + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pkexec + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "pkexec" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pkexec + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml new file mode 100644 index 000000000000..126c855e7908 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pkexec' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/bin/pkexec {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/bin/pkexec {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-86859-6 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("pkexec") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/bin/pkexec diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/policy/stig/shared.yml new file mode 100644 index 000000000000..b5d7d943f4db --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/lib/polkit-1/polkit-agent-helper-1 command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/lib/polkit-1/polkit-agent-helper-1" command with the following command: + + $ sudo auditctl -l | grep polkit-agent-helper-1 + + -a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "polkit-agent-helper" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path= /usr/lib/polkit-1/polkit-agent-helper-1-F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml new file mode 100644 index 000000000000..aae180149413 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - polkit helper' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path= /usr/lib/polkit-1/polkit-agent-helper-1{{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path= /usr/lib/polkit-1/polkit-agent-helper-1{{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-87024-6 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/lib/polkit-1/polkit-agent-helper-1") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/policy/stig/shared.yml new file mode 100644 index 000000000000..6438d2bad2c5 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/libexec/sssd/krb5_child command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/sssd/krb5_child" command with the following command: + + $ sudo auditctl -l | grep /usr/libexec/sssd/krb5_child + + -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/libexec/sssd/krb5_child" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml new file mode 100644 index 000000000000..4ad68bc255dc --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sssd_krb5_child' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/libexec/sssd/krb5_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/libexec/sssd/krb5_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-90599-2 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/libexec/sssd/krb5_child") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/libexec/sssd/krb5_child diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/policy/stig/shared.yml new file mode 100644 index 000000000000..c9fc501bfcf1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/libexec/sssd/ldap_child command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/sssd/ldap_child" command with the following command: + + $ sudo auditctl -l | grep /usr/libexec/sssd/ldap_child + + -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/libexec/sssd/ldap_child" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml new file mode 100644 index 000000000000..7d16f4d073c3 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sssd_ldap_child' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/libexec/sssd/ldap_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/libexec/sssd/ldap_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-90544-8 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/libexec/sssd/ldap_child") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/libexec/sssd/ldap_child diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/policy/stig/shared.yml new file mode 100644 index 000000000000..963a2bc08fb1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/libexec/sssd/proxy_child command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/sssd/proxy_child" command with the following command: + + $ sudo auditctl -l | grep /usr/libexec/sssd/proxy_child + + -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/libexec/sssd/proxy_child" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml new file mode 100644 index 000000000000..2526442fea6f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sssd_proxy_child' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/libexec/sssd/proxy_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/libexec/sssd/proxy_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-90451-6 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/libexec/sssd/proxy_child") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/libexec/sssd/proxy_child diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/policy/stig/shared.yml new file mode 100644 index 000000000000..360a9e22d6f4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/policy/stig/shared.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} must audit all uses of the /usr/libexec/sssd/selinux_child command. + +vuldiscussion: |- + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + + The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +checktext: |- + Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/sssd/selinux_child" command with the following command: + + $ sudo auditctl -l | grep /usr/libexec/sssd/selinux_child + + -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + If the command does not return a line, or the line is commented out, this is a finding. + +fixtext: |- + Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "/usr/libexec/sssd/selinux_child" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + + The audit daemon must be restarted for the changes to take effect. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml new file mode 100644 index 000000000000..7c3c4c64ae93 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml @@ -0,0 +1,48 @@ +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} +{{%- endif %}} + +documentation_complete: true + +prodtype: rhcos4 + +title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sssd_selinux_child' + +description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: + 
-a always,exit -F path=/usr/libexec/sssd/selinux_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: + 
-a always,exit -F path=/usr/libexec/sssd/selinux_child {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ +rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by + authorized users, or by unauthorized external entities that have compromised system accounts, + is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse and identify + the risk from insider and advanced persistent threats. +

+ Privileged programs are subject to escalation-of-privilege attacks, + which attempt to subvert their normal role of providing some necessary but + limited capability. As such, motivation exists to monitor these programs for + unusual activity. + +severity: medium + +identifiers: + cce@rhcos4: CCE-90356-7 + +references: + srg: SRG-APP-000029-CTR-000085 + +{{{ ocil_fix_srg_privileged_command("/usr/libexec/sssd/selinux_child") }}} + +template: + name: audit_rules_privileged_commands + vars: + path: /usr/libexec/sssd/selinux_child diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index a6a023c0fb89..7a02e6220632 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -56,7 +56,7 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030680 stigid@ol8: OL08-00-030190 stigid@rhel7: RHEL-07-030680 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 3d76a1a2948e..55e5e24bdab6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -57,7 +57,7 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030690 stigid@ol8: OL08-00-030550 stigid@rhel7: RHEL-07-030690 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index b3fe5287b5e0..4ba40efd0976 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -55,7 +55,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030750 stigid@ol8: OL08-00-030301 stigid@rhel7: RHEL-07-030750 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index 05162430132c..53d21d2c89a8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -57,7 +57,7 @@ references: nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 ospp: FAU_GEN.1.1.c - srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085 stigid@ol7: OL07-00-030640 stigid@ol8: OL08-00-030317 stigid@rhel7: RHEL-07-030640 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index a69da6626d35..b087c7635108 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -64,7 +64,6 @@ CCE-86204-5 CCE-86206-0 CCE-86207-8 CCE-86209-4 -CCE-86210-2 CCE-86211-0 CCE-86212-8 CCE-86213-6 @@ -383,7 +382,6 @@ CCE-86672-3 CCE-86673-1 CCE-86674-9 CCE-86675-6 -CCE-86676-4 CCE-86677-2 CCE-86684-8 CCE-86685-5 @@ -512,7 +510,6 @@ CCE-86854-7 CCE-86855-4 CCE-86856-2 CCE-86857-0 -CCE-86859-6 CCE-86861-2 CCE-86862-0 CCE-86863-8 @@ -642,7 +639,6 @@ CCE-87019-6 CCE-87020-4 CCE-87021-2 CCE-87022-0 -CCE-87024-6 CCE-87025-3 CCE-87026-1 CCE-87027-9 @@ -771,7 +767,6 @@ CCE-87177-2 CCE-87178-0 CCE-87179-8 CCE-87182-2 -CCE-87183-0 CCE-87184-8 CCE-87185-5 CCE-87186-3 @@ -983,7 +978,6 @@ CCE-87421-4 CCE-87422-2 CCE-87423-0 CCE-87424-8 -CCE-87425-5 CCE-87426-3 CCE-87427-1 CCE-87428-9 @@ -3604,7 +3598,6 @@ CCE-90352-6 CCE-90353-4 CCE-90354-2 CCE-90355-9 -CCE-90356-7 CCE-90358-3 CCE-90359-1 CCE-90360-9 @@ -3694,7 +3687,6 @@ CCE-90447-4 CCE-90448-2 CCE-90449-0 CCE-90450-8 -CCE-90451-6 CCE-90452-4 CCE-90453-2 CCE-90454-0 @@ -3783,7 +3775,6 @@ CCE-90539-8 CCE-90540-6 CCE-90541-4 CCE-90543-0 -CCE-90544-8 CCE-90545-5 CCE-90546-3 CCE-90547-1 @@ -3828,7 +3819,6 @@ CCE-90594-3 CCE-90595-0 CCE-90597-6 CCE-90598-4 -CCE-90599-2 CCE-90600-8 CCE-90601-6 CCE-90602-4 @@ -3945,7 +3935,6 @@ CCE-90735-2 CCE-90737-8 CCE-90738-6 CCE-90739-4 -CCE-90740-2 CCE-90741-0 CCE-90742-8 CCE-90743-6