Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow audit syscall rules remediations to group the syscalls #7329

Merged
merged 31 commits into from Aug 19, 2021
Merged

Allow audit syscall rules remediations to group the syscalls #7329

merged 31 commits into from Aug 19, 2021

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Aug 4, 2021
edited

Description:

  • Improve and extend rule skeleton matching with more explicit rule options for action, list, arch, auid and other filters.
  • Make explicit the syscalls that can through the syscall_groupings parameter.
    • When syscall_groupings is empty, it will always add a new rule if not found.
  • Make they key to use more explicit, instead of implicit through 'group'.
  • Update the Ansible remediations (8af4ced)
  • Add tests for fix_audit_syscall_rule I think the unit tests are not suited for this function. The function directly edits the rule files in /etc/audit and would be better run on a VM. If will need a VM anyway, I'd rather check and improve the test scenarios if needed.
  • Improve/adapt test scenarios (I believe the current test scenarios served pretty well to find bugs).

Rationale:

  • The function actually separated the syscalls into individual lines.

@yuumasato yuumasato requested a review from ggbecker August 4, 2021 13:17
@openshift-ci
Copy link

openshift-ci bot commented Aug 4, 2021

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 4, 2021
@yuumasato
Copy link
Member Author

Given the '-F auid=0` changes in #6910, I'm considering bringing the input to the Bash template directly to the 'rule.yml'.

@yuumasato
Copy link
Member Author

I think I'll rebase this PR on top of #6910 to take advantage of the rule selections in the profile.

@pep8speaks
Copy link

pep8speaks commented Aug 5, 2021
edited

Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2021-08-19 13:36:08 UTC

@yuumasato yuumasato mentioned this pull request Aug 5, 2021
Merged
5 tasks
@yuumasato
Change fix_audit_syscall_rule to group syscalls
54a0e7e 
The function actually separated the syscalls into individual lines.
* Improve and extend rule skeleton matching with more explicit rule
  options for action, arch, auid and other filters.
* Make explicit the syscalls that can be grouped through the
  'syscall_groupings' parameter.
* Make they key to use more explicit, instead of implicit through
  'group'.
@yuumasato
Set syscall grouping for chmod rules
4c682ea
@yuumasato
Set syscall grouping for chown rules
eaaaa86
@yuumasato
Set syscall groupings for set/remove xattr rules
b1d747c
@yuumasato
Set syscall groupings for remove and delete rules
46a0879
@yuumasato
Set syscall grouping for create, open and truncate rules
121afe1
@yuumasato
Print filenames in sed command
9dd2d39 
The ";F" was not a typo!
Hopefully this makes it more explicit the function of '-e "F"'.
@yuumasato
Handle cases where the rule has no syscall
56194ca 
When syscall is not set, just don't add the -S parameter.
The audit privileged commands use the fix_audit_syscall_rule despite
not adding a -S syscall.
Same situation happens for directory_access_var_log_audit.
@yuumasato
Enhance fix_audit_syscall_rule to handle multiple syscalls
aa3b0ea 
Some rules deal with single handedly with multiple profiles.
These rules expect to use the fix_audit_syscall_rule to add a rule with
muliple syscalls at a time.
@yuumasato
Enhance fix_audit_syscall_rule to handle rules without auid
0b18f68 
Enhance the bash function to nicely handle calls without auid filters
defined.
And updated the remediations of rules calling fix_audit_syscall_rule to
the new parameters.
@yuumasato
Move suid_privileged_function to new fix_audit_sycall_rule
8c49844 
The OVAL check was also updated to accept the key as a Field parameter.
@yuumasato
Update remediarions for time syscalls rules
ed948b7 
Update rules audit_rules_time_clock_settime and bash shared
remediation perform_audit_adjtimex_settimeofday_stime_remediation
to group their syscalls.
@yuumasato yuumasato marked this pull request as ready for review August 6, 2021 09:51
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 6, 2021
@yuumasato
Copy link
Member Author

I think the Bash remediations are in good shape and good for review.

This was referenced Aug 11, 2021
Closed
Closed
@yuumasato
Improve audit syscall rule macro to group syscalls
8af4ced 
The macros now group the syscall rule according to the grouping argument
The Ansible macros follow same argument pattern as the Bash remediations
(soon to become macros).
@yuumasato
Move template audit_rules_path_syscall to Ansible macro
a355d5b
@yuumasato
Move template audit_rules_dac_modification to Ansible macro
27d6432 
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
@yuumasato
Move template audit_rules_unsuccessfull_file_modification to Ansible …
cd507f5 
…macro

Use Ansible macro ansible_audit_augenrules_add_syscall_rule and
ansible_audit_auditctl_add_syscall_rule that group the syscalls
according to defined grouping.
@yuumasato yuumasato mentioned this pull request Aug 17, 2021
Closed
@yuumasato
Fix typo in Ansible remediarion for unsuccessful_file_modification
16df697
@yuumasato
Check all relevant syscalls in Ansible macro
d761a64 
The Ansible macros for audit syscall rules should check the target
syscall and the groupable syscalls during 'find' task.

When 'syscall_grouping' was empty, the remediation would simply
execute the 'Add a new rule' task.
If the key was different, a new duplicate rule would be added.

Also removes extra syscalls declaration task.
@yuumasato
Improve task titles of audit macros and templates
2a2697e
JAORMX
JAORMX reviewed Aug 18, 2021
View reviewed changes
Copy link
Contributor

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance this could be added to the kubernetes templates as well?

@JAORMX
Copy link
Contributor

JAORMX commented Aug 18, 2021

@yuumasato some of them are using straight up MachineConfigs... while we could now replace those entries with jinja to show the actual audit rule. I could help with that if you want.

@ggbecker ggbecker added this to the 0.1.58 milestone Aug 18, 2021
@yuumasato
Copy link
Member Author

Any chance this could be added to the kubernetes templates as well?

Do you mean to add the grouping capability to the kubernetes remediations?
I don't know how that could be done, but we can discuss it if you have any idea.

@yuumasato some of them are using straight up MachineConfigs... while we could now replace those entries with jinja to show the actual audit rule. I could help with that if you want.

@JAORMX You mean with url_encode()?

@yuumasato
Reset the tracking of syscalls found per file
fe88dfb 
When running a playbook profile, they were accumulating over the entire
run.
@ggbecker ggbecker self-assigned this Aug 18, 2021
@JAORMX
Copy link
Contributor

JAORMX commented Aug 18, 2021

@yuumasato and I talked, and there's nothing to do for the kubernetes remediations as of now.

@openshift-ci
Copy link

openshift-ci bot commented Aug 19, 2021

@yuumasato: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-ocp4-moderate 34a6691 link /test e2e-aws-ocp4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yuumasato
Remove trailing space from perm field
181a0f9 
Otherwise the rule will be added with two spaces between other_filters
and auid_filters.
@yuumasato
Fix typos in task titles
c94454f
ggbecker
ggbecker approved these changes Aug 19, 2021
View reviewed changes
Copy link
Member

@ggbecker ggbecker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you for these changes. It was a really nice improvement to the project.

@yuumasato
Fix Ansible linter issue
a5e9906 
Variables should have spaces before and after
@ggbecker ggbecker merged commit 049506a into ComplianceAsCode:master Aug 19, 2021
@yuumasato yuumasato deleted the group_audit_syscalls branch August 19, 2021 14:44
@marcusburghardt marcusburghardt added RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JAORMX JAORMX JAORMX left review comments

@ggbecker ggbecker ggbecker approved these changes

Assignees

@ggbecker ggbecker

Labels
RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.58
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@yuumasato @pep8speaks @JAORMX @ggbecker @marcusburghardt