RHCOS4 STIG: Cover the controls that correspond to the AU control family

[jhrozek]

Description:

• This is a largish PR, but it covers all the controls in the STIG draft
  that correspond to any of the NIST AU controls

Rationale:

• RHCOS4 STIG

Review Hints:

• Make sure that the RHCOS4 STIG CI run passes. I tried to add test stanzas to all the rules.
• Make sure that the rules correspond to the STIG DRAFT. I recommend making a copy and then filtering the first column on anything that contains AU.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[jhrozek]

/test e2e-aws-rhcos4-stig

[jhrozek]

/test e2e-aws-ocp4-stig

[jhrozek]

/test e2e-aws-ocp4-stig-node

[jhrozek]

direct link to e2e test log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/ComplianceAsCode_content/10732/pull-ci-ComplianceAsCode-content-master-e2e-aws-rhcos4-stig/1671091732978077696/artifacts/e2e-aws-rhcos4-stig/test/build-log.txt

[jhrozek]

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

[jhrozek]

rebased on master to get a clean e2e test run

[yuumasato]

Also, none of the rules included in the controls had their srgs updated.

But as we are considering changing the approach to set references from control files, I think we can waive this aspect.

[jhrozek]

@yuumasato thank you for the careful review. New patches are attached, feel free to ask additional questions, I wasn't sure if I answered them correctly

[yuumasato]

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

[jhrozek]

Hmm I should fix these I think:

    helpers.go:808: Result - Name: e2e-stig-master-audit-access-failed - Status: FAIL - Severity: medium
    helpers.go:815: E2E-FAILURE: The expected result for the audit_access_failed rule didn't match. Expected 'PASS', Got 'FAIL'
    helpers.go:808: Result - Name: e2e-stig-master-audit-create-failed - Status: FAIL - Severity: medium
    helpers.go:815: E2E-FAILURE: The expected result for the audit_create_failed rule didn't match. Expected 'PASS', Got 'FAIL'

[yuumasato]

@jhrozek I think what is missing is the openat2 syscall in the remediation.
Edit: at least in audit_access_failed

[yuumasato]

And I think audit_create_failed is failing because of this comment:
## /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules

[jhrozek]

@yuumasato thanks, I fixed both, ended up reworking them because the hand-written urlencoded string was getting on my nerves :-)

[jhrozek]

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

[codeclimate]

Code Climate has analyzed commit ed4ee93 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

[yuumasato]

Thank you, Jakub!