Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rule in ubtu18cis_4_1_15_actions.rules.j2 #67

Merged
merged 2 commits into from
Jan 18, 2022
Merged

Update rule in ubtu18cis_4_1_15_actions.rules.j2 #67

merged 2 commits into from
Jan 18, 2022

Conversation

georgenalen
Copy link
Contributor

@georgenalen georgenalen commented Jan 18, 2022
edited
Loading

Overall Review of Changes:
Original PR thanks to @hankszeto

Space needed between '-F' and auid.

This matches what UBUNTU18-CIS-Audit is expecting too.

-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions

vs

-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions

Issue Fixes:

N/A

Enhancements:

4.1.15 | L2 | Ensure system administrator command executions (sudo) are collected | Config will not be listed as unsuccessful in the Post Audit report.

How has this been tested?:

Post audit report:

            "successful": true,
            "summary-line": "Command: auditd_sudolog_live: stdout: matches expectation: [-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F auid\u003e=1000 -F auid!=-1 -F key=actions -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F auid\u003e=1000 -F auid!=-1 -F key=actions]",
            "test-type": 2,
            "title": "4.1.15 | L2 | Ensure system administrator command executions (sudo) are collected | Live"

Signed-off-by: George Nalen georgen@mindpointgroup.com

hankszeto and others added 2 commits January 16, 2022 21:59
@hankszeto
Update rule in ubtu18cis_4_1_15_actions.rules.j2
db57d12 
Space needed between '-F' and `auid`.

This matches what UBUNTU18-CIS-Audit is expecting too.

`-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions`

vs

`-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions`

Signed-off-by: Hank Szeto <szeto@thinkingcap.com.au>
@georgenalen
Merge pull request #66 from hankszeto/patch-1
db0dc3d 
Update rule in ubtu18cis_4_1_15_actions.rules.j2
@georgenalen georgenalen merged commit 4126c16 into devel Jan 18, 2022
@georgenalen georgenalen deleted the staging_pr66 branch December 19, 2022 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly Awaiting requested review from uk-bolly

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@georgenalen @hankszeto