Fix audit_rules_privileged_commands_kmod rule in RHEL7

[ggbecker]

Description:

• Fix audit_rules_privileged_commands_kmod rule in RHEL7.
  • Address minor issues in the rule and similar templates, for example the
    \w+ doesn't accept the hyphen character which could be a problem when
    the key is "module-change" for example, with the \S+ it should correctly
    match the whole line. A couple of tests scenario were added for this
    rule as well.

Rationale:

• Fixes Rule audit_rules_privileged_commands_kmod fails after remediation and reboot #9434

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

@ggbecker The changes look good to me.

But, I have noticed some weird error during the Ansible remediation on RHEL7. This causes the AutoMatus tests to fail when the --remediate-using ansible option is used. But it doesn't happen on RHEL 9. Could you take a look at it when you are in it?

[jcerny@thinkpad scap-security-guide{pr/9477}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel7 audit_rules_privileged_commands_kmod
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-09-06-1028/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod'.

the logs in audit_rules_privileged_commands_kmod-wrong_value.fail.sh-remediation.verbose.log contain this:

 23 TASK [Restart auditd.                                                                                                  service] **********************************************************************************************************    *******************************************************************************************************
 24 fatal: [192.168.122.160]: FAILED! => {"changed": false, "msg": "Unable to restart service auditd.service: Failed       to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is           configured to refuse manual start/stop).\nSee system logs and 'systemctl status auditd.service' for details.\n"}

[vojtapolasek]

Agree with @jan-cerny . I am actually looking into the same thing. The problem is the task which restarts Audit. it won't work:
https://access.redhat.com/solutions/2664811
I suggest removing this task - we do not restart Audit in any remediations.

[jan-cerny]

I suggest removing this task - we do not restart Audit in any remediations.

The restart is probably based on this text in fixtext:

The audit daemon must be restarted for the changes to take effect.

[ggbecker]

I've updated the PR with a different approach to reload the audit service which was being used on a different place as well.

35b70d1

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs:
--- old datastream
+++ new datastream
@@ -142,8 +142,8 @@
 - no_reboot_needed
 - restrict_strategy
 
-- name: Reload Auditd
- command: /usr/sbin/service auditd reload
+- name: Restart Auditd
+ command: /usr/sbin/service auditd restart
 args:
 warn: false
 when:

[codeclimate]

Code Climate has analyzed commit 35b70d1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.4% (0.0% change).

View more on Code Climate.

[openshift-ci]

@ggbecker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-cis-node	35b70d1	link	true	/test e2e-aws-ocp4-cis-node
ci/prow/e2e-aws-ocp4-pci-dss	35b70d1	link	true	/test e2e-aws-ocp4-pci-dss
ci/prow/e2e-aws-ocp4-moderate	35b70d1	link	true	/test e2e-aws-ocp4-moderate
ci/prow/e2e-aws-ocp4-cis	35b70d1	link	true	/test e2e-aws-ocp4-cis
ci/prow/e2e-aws-rhcos4-high	35b70d1	link	true	/test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate	35b70d1	link	true	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jan-cerny]

It has fixed the problems with running test scenarios on RHEL 7 now and it fixed also the RHEL 9.