Skip to content

Commit

Permalink
SRG-APP-000029-CTR-000085: Audit execution of all setuid and setgid b…
Browse files Browse the repository at this point in the history
…inaries on RHCOS4
  • Loading branch information
jhrozek committed Jul 11, 2023
1 parent 3918d1b commit e02b81d
Show file tree
Hide file tree
Showing 52 changed files with 1,074 additions and 37 deletions.
13 changes: 13 additions & 0 deletions components/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -134,22 +134,33 @@ rules:
- audit_rules_privileged_commands_chfn
- audit_rules_privileged_commands_chsh
- audit_rules_privileged_commands_crontab
- audit_rules_privileged_commands_dbus_daemon_launch_helper
- audit_rules_privileged_commands_fdisk
- audit_rules_privileged_commands_fusermount
- audit_rules_privileged_commands_fusermount3
- audit_rules_privileged_commands_gpasswd
- audit_rules_privileged_commands_grub2_set_bootflag
- audit_rules_privileged_commands_insmod
- audit_rules_privileged_commands_kmod
- audit_rules_privileged_commands_modprobe
- audit_rules_privileged_commands_mount
- audit_rules_privileged_commands_mount_nfs
- audit_rules_privileged_commands_newgidmap
- audit_rules_privileged_commands_newgrp
- audit_rules_privileged_commands_newuidmap
- audit_rules_privileged_commands_pam_timestamp_check
- audit_rules_privileged_commands_passmass
- audit_rules_privileged_commands_passwd
- audit_rules_privileged_commands_pkexec
- audit_rules_privileged_commands_polkit_helper
- audit_rules_privileged_commands_postdrop
- audit_rules_privileged_commands_postqueue
- audit_rules_privileged_commands_pt_chown
- audit_rules_privileged_commands_rmmod
- audit_rules_privileged_commands_sssd_krb5_child
- audit_rules_privileged_commands_sssd_ldap_child
- audit_rules_privileged_commands_sssd_proxy_child
- audit_rules_privileged_commands_sssd_selinux_child
- audit_rules_privileged_commands_ssh_agent
- audit_rules_privileged_commands_ssh_keysign
- audit_rules_privileged_commands_su
Expand All @@ -162,6 +173,8 @@ rules:
- audit_rules_privileged_commands_userhelper
- audit_rules_privileged_commands_usermod
- audit_rules_privileged_commands_usernetctl
- audit_rules_privileged_commands_utempter
- audit_rules_privileged_commands_write
- audit_rules_session_events
- audit_rules_session_events_btmp
- audit_rules_session_events_utmp
Expand Down
33 changes: 27 additions & 6 deletions controls/srg_ctr/SRG-APP-000029-CTR-000085.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,30 @@ controls:
- idp_is_configured
- ocp_idp_no_htpasswd
- kubeadmin_removed
status: not applicable
status_justification: |-
Not Applicable. Applicable to Identity Management Provider and not
OCP. Only configurable check is to ensure OCP is configured for an
IDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider
admins that the IdM meets the requirements.
rules:
- audit_rules_privileged_commands_chage
- audit_rules_privileged_commands_dbus_daemon_launch_helper
- audit_rules_privileged_commands_fusermount
- audit_rules_privileged_commands_fusermount3
- audit_rules_privileged_commands_gpasswd
- audit_rules_privileged_commands_grub2_set_bootflag
- audit_rules_privileged_commands_mount
- audit_rules_privileged_commands_mount_nfs
- audit_rules_privileged_commands_newgrp
- audit_rules_privileged_commands_passwd
- audit_rules_privileged_commands_pkexec
- audit_rules_privileged_commands_sssd_krb5_child
- audit_rules_privileged_commands_sssd_ldap_child
- audit_rules_privileged_commands_sssd_proxy_child
- audit_rules_privileged_commands_sssd_selinux_child
- audit_rules_privileged_commands_ssh_keysign
- audit_rules_privileged_commands_su
- audit_rules_privileged_commands_sudo
- audit_rules_privileged_commands_umount
- audit_rules_privileged_commands_utempter
- audit_rules_privileged_commands_polkit_helper
- audit_rules_privileged_commands_pam_timestamp_check
- audit_rules_privileged_commands_unix_chkpwd
- audit_rules_privileged_commands_write
status: automated

Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}

Expand Down Expand Up @@ -57,7 +57,7 @@ references:
nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085
stigid@ol7: OL07-00-030660
stigid@ol8: OL08-00-030250
stigid@rhel7: RHEL-07-030660
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
srg_requirement: |-
{{{ full_name }}} must audit all uses of the /usr/libexec/dbus-1/dbus-daemon-launch-helper command.
vuldiscussion: |-
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
checktext: |-
Verify that {{{ full_name }}} is configured to audit the execution of the "/usr/libexec/dbus-1/dbus-daemon-launch-helper" command with the following command:
$ sudo auditctl -l | grep /usr/libexec/dbus-1/dbus-daemon-launch-helper
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
If the command does not return a line, or the line is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "polkit-agent-helper" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
The audit daemon must be restarted for the changes to take effect.
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}

documentation_complete: true

prodtype: rhcos4

title: 'Ensure auditd Collects Information on the Use of Privileged Commands - dbus helper'

description: |-
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the <tt>auditd</tt> daemon is
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
<pre>-a always,exit -F path= /usr/libexec/dbus-1/dbus-daemon-launch-helper-1 {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br /><br />
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
severity: medium

identifiers:
cce@rhcos4: CCE-87183-0

references:
srg: SRG-APP-000029-CTR-000085

{{{ ocil_fix_srg_privileged_command("/usr/libexec/dbus-1/dbus-daemon-launch-helper-1") }}}

template:
name: audit_rules_privileged_commands
vars:
path: /usr/libexec/dbus-1/dbus-daemon-launch-helper-1
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
default_result: FAIL
result_after_remediation: PASS
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
srg_requirement: |-
{{{ full_name }}} must audit all uses of the fusermount command.
vuldiscussion: |-
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
checktext: |-
Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount" command with the following command:
$ sudo auditctl -l | grep fusermount
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-fusermount
If the command does not return a line, or the line is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-fusermount
The audit daemon must be restarted for the changes to take effect.
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}

documentation_complete: true

prodtype: rhcos4

title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount'

description: |-
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the <tt>auditd</tt> daemon is
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
<pre>-a always,exit -F path=/usr/bin/fusermount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br /><br />
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
severity: medium

identifiers:
cce@rhcos4: CCE-86210-2

references:
srg: SRG-APP-000029-CTR-000085

{{{ ocil_fix_srg_privileged_command("fusermount") }}}

template:
name: audit_rules_privileged_commands
vars:
path: /usr/bin/fusermount
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
default_result: FAIL
result_after_remediation: PASS
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
srg_requirement: |-
{{{ full_name }}} must audit all uses of the fusermount3 command.
vuldiscussion: |-
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
checktext: |-
Verify that {{{ full_name }}} is configured to audit the execution of the "fusermount3" command with the following command:
$ sudo auditctl -l | grep fusermount3
-a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-fusermount3
If the command does not return a line, or the line is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "fusermount3" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
-a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-fusermount3
The audit daemon must be restarted for the changes to take effect.
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}

documentation_complete: true

prodtype: rhcos4

title: 'Ensure auditd Collects Information on the Use of Privileged Commands - fusermount3'

description: |-
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the <tt>auditd</tt> daemon is
configured to use the <tt>augenrules</tt> program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
<pre>-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add a line of the following
form to <tt>/etc/audit/audit.rules</tt>:
<pre>-a always,exit -F path=/usr/bin/fusermount3 {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br /><br />
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
severity: medium

identifiers:
cce@rhcos4: CCE-86676-4

references:
srg: SRG-APP-000029-CTR-000085

{{{ ocil_fix_srg_privileged_command("fusermount3") }}}

template:
name: audit_rules_privileged_commands
vars:
path: /usr/bin/fusermount3
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
default_result: FAIL
result_after_remediation: PASS
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}

Expand Down Expand Up @@ -58,7 +58,7 @@ references:
nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
ospp: FAU_GEN.1.1.c
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000029-CTR-000085
stigid@ol7: OL07-00-030650
stigid@ol8: OL08-00-030370
stigid@rhel7: RHEL-07-030650
Expand Down
Loading

0 comments on commit e02b81d

Please sign in to comment.