New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow audit syscall rules remediations to group the syscalls #7329
Allow audit syscall rules remediations to group the syscalls #7329
Conversation
Skipping CI for Draft Pull Request. |
Given the '-F auid=0` changes in #6910, I'm considering bringing the input to the Bash template directly to the 'rule.yml'. |
I think I'll rebase this PR on top of #6910 to take advantage of the rule selections in the profile. |
0b35ab3
to
12636e2
Compare
Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found: There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻 Comment last updated at 2021-08-19 13:36:08 UTC |
The function actually separated the syscalls into individual lines. * Improve and extend rule skeleton matching with more explicit rule options for action, arch, auid and other filters. * Make explicit the syscalls that can be grouped through the 'syscall_groupings' parameter. * Make they key to use more explicit, instead of implicit through 'group'.
The ";F" was not a typo! Hopefully this makes it more explicit the function of '-e "F"'.
When syscall is not set, just don't add the -S parameter. The audit privileged commands use the fix_audit_syscall_rule despite not adding a -S syscall. Same situation happens for directory_access_var_log_audit.
Some rules deal with single handedly with multiple profiles. These rules expect to use the fix_audit_syscall_rule to add a rule with muliple syscalls at a time.
Enhance the bash function to nicely handle calls without auid filters defined. And updated the remediations of rules calling fix_audit_syscall_rule to the new parameters.
The OVAL check was also updated to accept the key as a Field parameter.
12636e2
to
8c49844
Compare
Update rules audit_rules_time_clock_settime and bash shared remediation perform_audit_adjtimex_settimeofday_stime_remediation to group their syscalls.
I think the Bash remediations are in good shape and good for review. |
The macros now group the syscall rule according to the grouping argument The Ansible macros follow same argument pattern as the Bash remediations (soon to become macros).
Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping.
…macro Use Ansible macro ansible_audit_augenrules_add_syscall_rule and ansible_audit_auditctl_add_syscall_rule that group the syscalls according to defined grouping.
4a7ca16
to
78664de
Compare
The Ansible macros for audit syscall rules should check the target syscall and the groupable syscalls during 'find' task. When 'syscall_grouping' was empty, the remediation would simply execute the 'Add a new rule' task. If the key was different, a new duplicate rule would be added. Also removes extra syscalls declaration task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any chance this could be added to the kubernetes templates as well?
@yuumasato some of them are using straight up MachineConfigs... while we could now replace those entries with jinja to show the actual audit rule. I could help with that if you want. |
8e3e3b9
to
6dd2a03
Compare
Do you mean to add the grouping capability to the kubernetes remediations?
@JAORMX You mean with |
When running a playbook profile, they were accumulating over the entire run.
@yuumasato and I talked, and there's nothing to do for the kubernetes remediations as of now. |
a6feeff
to
34a6691
Compare
@yuumasato: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Otherwise the rule will be added with two spaces between other_filters and auid_filters.
db4f788
to
c94454f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thank you for these changes. It was a really nice improvement to the project.
Variables should have spaces before and after
Description:
action
,list
,arch
,auid
and other filters.syscall_groupings
parameter.syscall_groupings
is empty, it will always add a new rule if not found.Add tests forI think the unit tests are not suited for this function. The function directly edits the rule files infix_audit_syscall_rule
/etc/audit
and would be better run on a VM. If will need a VM anyway, I'd rather check and improve the test scenarios if needed.Rationale: