ComplianceAsCode · lenox-joseph · Mar 7, 2022 · Feb 18, 2022 · Mar 7, 2022 · Mar 9, 2022
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -85,6 +85,14 @@
 
     -   **path** - the path of the privileged command - eg.
         `/usr/bin/mount`
+    -   **skip_action** - Control the configuration of `auditd` rules.
+        Can be "true" or "false".
+        When "true", the snippet of the rule `-a always,exit` is not used.
+    -   **watch** - Control the configuration of the `auditd` rules.
+        Can be "true" or "false".
+        When "true", the filter string `-w xxx` is used.
+        When "false", the filter string `-F path=xxx` is used.
+        Defaults to "false".
 
 -   Languages: Ansible, Bash, OVAL, Kubernetes
 

diff --git a/...x_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/...x_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
 
   <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=\w)(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 if grep -q "^Ciphers" /etc/ssh/sshd_config; then
-	sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+	sed -i "s/^Ciphers.*/# Ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
 else
-	echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+	echo "# Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
 fi
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 if grep -q "^Ciphers" /etc/ssh/sshd_config; then
-	sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+	sed -i "s/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
 else
-	echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+	echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
 fi
@@ -3,5 +3,5 @@
 if grep -q "^Ciphers" /etc/ssh/sshd_config; then
 	sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
 else
-	echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
+	echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
 
   <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=\w)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

@@ -3,5 +3,5 @@
 if grep -q "^MACs" /etc/ssh/sshd_config; then
 	sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
 else
-	echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+	echo "# MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
 fi
diff --git a/...s/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml b/...s/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml
@@ -0,0 +1,51 @@
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol
+# reboot = false
+# complexity = low
+# disruption = low
+# strategy = configure
+
+# What architecture are we on?
+
+- name: Set architecture for audit finit_module tasks
+  set_fact:
+    audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Perform remediation of Audit rules for finit_module for x86 platform
+  block:
+    {{{ ansible_audit_augenrules_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b32",
+      other_filters="",
+      auid_filters="",
+      syscalls=["create_module"],
+      key="module-change",
+      syscall_grouping=[],
+      )|indent(4) }}}
+    {{{ ansible_audit_auditctl_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b32",
+      other_filters="",
+      auid_filters="",
+      syscalls=["create_module"],
+      key="module-change",
+      syscall_grouping=[],
+      )|indent(4) }}}
+
+- name: Perform remediation of Audit rules for finit_module for x86_64 platform
+  block:
+    {{{ ansible_audit_augenrules_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b64",
+      other_filters="",
+      auid_filters="",
+      syscalls=["create_module"],
+      key="module-change",
+      syscall_grouping=[],
+      )|indent(4) }}}
+    {{{ ansible_audit_auditctl_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b64",
+      other_filters="",
+      auid_filters="",
+      syscalls=["create_module"],
+      key="module-change",
+      syscall_grouping=[],
+      )|indent(4) }}}
+  when: audit_arch == "b64"
+
diff --git a/...rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/bash/shared.sh b/...rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/bash/shared.sh
@@ -0,0 +1,23 @@
+# platform = multi_platform_all
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS=""
+	SYSCALL="create_module"
+	KEY="module-change"
+	SYSCALL_GROUPING=""
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+done
diff --git a/...udit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml b/...udit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml
@@ -0,0 +1,15 @@
+---
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20create_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20create_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-create.rules
+        overwrite: true
diff --git a/...ules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/oval/shared.xml b/...ules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/oval/shared.xml
@@ -0,0 +1,70 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_kernel_module_loading_create" version="1">
+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules 32-bit create_module" test_ref="test_32bit_ardm_create_module_augenrules" />
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of 32-bit version of create_module audit DAC rule -->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of create_module audit DAC rule -->
+          <criterion comment="audit augenrules 64-bit create_module" test_ref="test_64bit_ardm_create_module_augenrules" />
+        </criteria>
+      </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl 32-bit create_module" test_ref="test_32bit_ardm_create_module_auditctl" />
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of 32-bit version of the create_module audit DAC rule -->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of create_module audit DAC rule -->
+          <criterion comment="audit auditctl 64-bit create_module" test_ref="test_64bit_ardm_create_module_auditctl" />
+        </criteria>
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit create_module" id="test_32bit_ardm_create_module_augenrules" version="1">
+    <ind:object object_ref="object_32bit_ardm_create_module_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_create_module_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit create_module" id="test_64bit_ardm_create_module_augenrules" version="1">
+    <ind:object object_ref="object_64bit_ardm_create_module_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_create_module_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit create_module" id="test_32bit_ardm_create_module_auditctl" version="1">
+    <ind:object object_ref="object_32bit_ardm_create_module_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_create_module_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit create_module" id="test_64bit_ardm_create_module_auditctl" version="1">
+    <ind:object object_ref="object_64bit_ardm_create_module_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_create_module_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml b/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Ensure auditd Collects Information on Kernel Module Unloading - create_module'
+
+description: |-
+    To capture kernel module unloading events, use following line, setting ARCH to
+    either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+    <pre>-a always,exit -F arch=<i>ARCH</i> -S create_module -F key=module-change</pre>
+
+    Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+    to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+    add the line to file <tt>/etc/audit/audit.rules</tt>.
+
+rationale: |-
+    The removal of kernel modules can be used to alter the behavior of
+    the kernel and potentially introduce malicious code into kernel space. It is important
+    to have an audit trail of modules that have been introduced into the kernel.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-85911-6
+
+references:
+    disa: CCI-000172
+    srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    stigid@rhel7: RHEL-07-030819
+
+{{{ complete_ocil_entry_audit_syscall(syscall="create_module") }}}
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
@@ -0,0 +1,4 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
+
diff --git a/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -1,5 +1,7 @@
 {{%- if product in ["rhel8"] %}}
     {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}}
+{{%- elif product in ["rhel7"] %}}
+    {{%- set kmod_audit="-w /usr/bin/kmod -p x -F auid!=unset -k module-change" %}}
 {{%- elif product in ["ubuntu2004"] %}}
     {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}}
 {{%- elif product in ["ol7"] %}}
@@ -10,7 +12,7 @@
 
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
 
 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod'
 
@@ -38,6 +40,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-85895-1
     cce@rhel8: CCE-89455-0
     cce@rhel9: CCE-90262-7
     cce@sle12: CCE-83207-1
@@ -49,6 +52,7 @@ references:
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
     stigid@ol7: OL07-00-030840
     stigid@ol8: OL08-00-030580
+    stigid@rhel7: RHEL-07-030840
     stigid@rhel8: RHEL-08-030580
     stigid@sle12: SLES-12-020360
     stigid@sle15: SLES-15-030410
@@ -63,3 +67,6 @@ template:
     vars:
         path: /usr/bin/kmod
         path@ubuntu2004: /bin/kmod
+        min_auid@rhel7: 0
+        skip_action@rhel7: true
+        watch@rhel7: true
@@ -221,6 +221,7 @@ selections:
     - audit_rules_privileged_commands_userhelper
     - audit_rules_privileged_commands_su
     - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_kmod
     - audit_rules_sysadmin_actions
     - audit_rules_privileged_commands_newgrp
     - audit_rules_privileged_commands_chsh
@@ -234,6 +235,7 @@ selections:
     - audit_rules_kernel_module_loading_init
     - audit_rules_kernel_module_loading_finit
     - audit_rules_kernel_module_loading_delete
+    - audit_rules_kernel_module_loading_create
     - audit_rules_usergroup_modification_passwd
     - audit_rules_file_deletion_events_rename
     - audit_rules_file_deletion_events_renameat

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,7 +1,6 @@
 CCE-85891-0
 CCE-85892-8
 CCE-85893-6
-CCE-85895-1
 CCE-85898-5
 CCE-85901-7
 CCE-85905-8

diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,5 +1,22 @@
 {{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}}
   {{%- set perm_x=" -F perm=x" %}}
+{{%- elif product in ["rhel7"] %}}
+  {{%- set perm_x=" -p x" %}}
+{{%- endif %}}
+{{%- if WATCH %}}
+{{%- set path_term="-w "~PATH %}}
+{{% else %}}
+{{%- set path_term="-F path="~PATH %}}
+{{%- endif %}}
+{{%- if MIN_AUID > 0 %}}
+{{%- set auid_filter="-F auid>="~auid~" " %}}
+{{% else %}}
+{{%- set auid_filter="" %}}
+{{%- endif %}}
+{{%- if not SKIP_ACTION %}}
+{{%- set arch_filter="-a always,exit" %}}
+{{% else %}}
+{{%- set arch_filter="" %}}
 {{%- endif %}}
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
@@ -10,17 +27,17 @@
 - name: Perform remediation of Audit rules for {{{ PATH }}}
   block:
     {{{ ansible_audit_augenrules_add_syscall_rule(
-      action_arch_filters="-a always,exit",
-      other_filters="-F path="~PATH~perm_x,
-      auid_filters="-F auid>="~auid~" -F auid!=unset",
+      action_arch_filters=arch_filter,
+      other_filters=path_term~perm_x,
+      auid_filters=auid_filter~"-F auid!=unset",
       syscalls=SYSCALL,
       key="privileged",
       syscall_grouping=SYSCALL_GROUPING,
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
-      action_arch_filters="-a always,exit",
-      other_filters="-F path="~PATH~perm_x,
-      auid_filters="-F auid>="~auid~" -F auid!=unset",
+      action_arch_filters=arch_filter,
+      other_filters=path_term~perm_x,
+      auid_filters=auid_filter~"-F auid!=unset",
       syscalls=SYSCALL,
       key="privileged",
       syscall_grouping=SYSCALL_GROUPING,