Add modified audit suid privilege function rule for CIS

Add a new rule to accommodate the differences between STIG and CIS regarding execve audit in RHEL8 and RHEL9. When analyzing a RHEL8 or RHEL9 server with the CIS Workbench after remidiation it fails the settings of `audit execve` because of a difference between STIG and CIS in recommended settings.
ComplianceAsCode · Jun 21, 2023 · 2064493 · 2064493
1 parent 12be5d1
commit 2064493
Show file tree

Hide file tree

Showing 18 changed files with 277 additions and 6 deletions.
diff --git a/components/audit.yml b/components/audit.yml
@@ -198,6 +198,7 @@ rules:
 - audit_rules_sudoers
 - audit_rules_sudoers_d
 - audit_rules_suid_privilege_function
+- audit_rules_suid_privilege_function_cis
 - audit_rules_sysadmin_actions
 - audit_rules_system_shutdown
 - audit_rules_time_adjtimex

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -1506,7 +1506,7 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_suid_privilege_function
+      - audit_rules_suid_privilege_function_cis
 
   - id: 4.1.3.3
     title: Ensure events that modify the sudo log file are collected (Automated)

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1259,7 +1259,7 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_suid_privilege_function
+      - audit_rules_suid_privilege_function_cis
 
   - id: 4.1.3.3
     title: Ensure events that modify the sudo log file are collected (Automated)

diff --git a/...guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/...guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml
@@ -49,8 +49,6 @@ identifiers:
 
 references:
     cis@rhel7: 4.1.15
-    cis@rhel8: 4.1.3.2
-    cis@rhel9: 4.1.3.2
     cis@ubuntu2004: 4.1.15
     cis@ubuntu2204: 4.1.3.2
     disa: CCI-001814,CCI-001882,CCI-001889,CCI-001880,CCI-001881,CCI-001878,CCI-001879,CCI-001875,CCI-001877,CCI-001914,CCI-002233,CCI-002234

diff --git a/...uditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/ansible/shared.yml b/...uditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/ansible/shared.yml
@@ -0,0 +1,62 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{% set rx_beg = "^[\s]*-a[\s]+always,exit[\s]+" %}}
+{{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}}
+{{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}}
+
+{{% set rx_uid = "-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+" %}}
+
+{{% set rx_end = "(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" %}}
+
+- name: Service facts
+  ansible.builtin.service_facts:
+
+- name: Check the rules script being used
+  ansible.builtin.command:
+    grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+  register: check_rules_scripts_result
+  changed_when: false
+  failed_when: false
+
+- name: Set suid_audit_rules fact
+  ansible.builtin.set_fact:
+    suid_audit_rules:
+      - rule: '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation'
+        regex: {{{ rx_beg + rx_b32 + rx_uid + rx_end }}}
+      - rule: '-a always,exit -F arch=b64 -S execve  -C euid!=uid -F auid!=unset-k user_emulation'
+        regex: {{{ rx_beg + rx_b64 + rx_uid + rx_end }}}
+
+- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions
+  ansible.builtin.lineinfile:
+    path: /etc/audit/rules.d/privileged.rules
+    line: "{{  item.rule  }}"
+    regexp: "{{ item.regex }}"
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"augenrules" in check_rules_scripts_result.stdout'
+  register: augenrules_audit_rules_privilege_function_update_result
+  with_items: "{{ suid_audit_rules }}"
+
+- name: Update Update /etc/audit/audit.rules to audit privileged functions
+  ansible.builtin.lineinfile:
+    path: /etc/audit/audit.rules
+    line: "{{  item.rule  }}"
+    regexp: "{{ item.regex }}"
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"auditctl" in check_rules_scripts_result.stdout'
+  register: auditctl_audit_rules_privilege_function_update_result
+  with_items: "{{ suid_audit_rules }}"
+# restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
+- name: Restart Auditd
+  ansible.builtin.command: /usr/sbin/service auditd restart
+  when:
+    - (augenrules_audit_rules_privilege_function_update_result.changed or
+       auditctl_audit_rules_privilege_function_update_result.changed)
+    - ansible_facts.services["auditd.service"].state == "running"
diff --git a/...em/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/bash/shared.sh b/...em/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/bash/shared.sh
@@ -0,0 +1,18 @@
+# platform = multi_platform_rhel
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS="-C euid!=uid"
+	AUID_FILTERS="-F auid!=unset"
+	SYSCALL="execve"
+	KEY="user_emulation"
+	SYSCALL_GROUPING=""
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+done
diff --git a/...m/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/oval/shared.xml b/...m/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/oval/shared.xml
@@ -0,0 +1,64 @@
+{{% set rx_beg = "^[\s]*-a[\s]+always,exit[\s]+" %}}
+{{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}}
+{{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}}
+{{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+" %}}
+{{% set rx_end = "(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" %}}
+<def-group>
+  <definition class="compliance" id="audit_rules_suid_privilege_function_cis" version="1">
+    {{{ oval_metadata("Ensure audit rule for all uses of privileged functions is enabled") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules 32-bit uid privileged function " test_ref="test_32bit_uid_privileged_function_augenrules_cis" />
+        <criterion comment="audit augenrules 64-bit uid privileged function" test_ref="test_64bit_uid_privileged_function_augenrules_cis" />
+        </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl 32-bit uid privileged function" test_ref="test_32bit_uid_privileged_function_auditctl_cis" />
+        <criterion comment="audit auditctl 64-bit uid privileged function" test_ref="test_64bit_uid_privileged_function_auditctl_cis" />
+        </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit uid privileged function" id="test_32bit_uid_privileged_function_augenrules_cis" version="1">
+    <ind:object object_ref="object_32bit_uid_privileged_function_augenrules_cis" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_uid_privileged_function_augenrules_cis" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ rx_beg + rx_b32 + rx_uid + rx_end }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit uid privileged function" id="test_64bit_uid_privileged_function_augenrules_cis" version="1">
+    <ind:object object_ref="object_64bit_uid_privileged_function_augenrules_cis" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_uid_privileged_function_augenrules_cis" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ rx_beg + rx_b64 + rx_uid + rx_end }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit uid privileged function" id="test_32bit_uid_privileged_function_auditctl_cis" version="1">
+    <ind:object object_ref="object_32bit_uid_privileged_function_auditctl_cis" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_uid_privileged_function_auditctl_cis" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ rx_beg + rx_b32 + rx_uid + rx_end }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit uid privileged_function" id="test_64bit_uid_privileged_function_auditctl_cis" version="1">
+    <ind:object object_ref="object_64bit_uid_privileged_function_auditctl_cis" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_uid_privileged_function_auditctl_cis" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ rx_beg + rx_b64 + rx_uid + rx_end }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/...e/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/rule.yml b/...e/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/rule.yml
@@ -0,0 +1,71 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Record Events When Privileged Executables Are Run CIS'
+
+description: |-
+    Verify the system generates an audit record when privileged functions are executed.
+
+    If audit is using the "auditctl" tool to load the rules, run the following command:
+
+    <pre>$ sudo grep execve /etc/audit/audit.rules</pre>
+
+    If audit is using the "augenrules" tool to load the rules, run the following command:
+
+    <pre>$ sudo grep -r execve /etc/audit/rules.d</pre>
+    <pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>
+    <pre>-a always,exit -F arch=b64  S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>
+
+    If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
+
+rationale: |-
+    Misuse of privileged functions, either intentionally or unintentionally by
+    authorized users, or by unauthorized external entities that have
+    compromised information system accounts, is a serious and ongoing concern
+    and can have significant adverse impacts on organizations. Auditing the use
+    of privileged functions is one way to detect such misuse and identify the
+    risk from insider threats and the advanced persistent threat.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-90209-8
+    cce@rhel9: CCE-86368-8
+
+references:
+    cis@rhel8: 4.1.3.2
+    cis@rhel9: 4.1.3.2
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect.
+
+ocil_clause: 'the command does not return all lines, or the lines are commented out'
+
+ocil: |-
+    Verify {{{ full_name }}} audits the execution of privileged functions.
+
+    Check if {{{ full_name }}} is configured to audit the execution of the "execve" system call using the following command:
+
+    <pre>$ sudo grep execve /etc/audit/audit.rules</pre>
+
+    The output should be the following:
+
+    <pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>
+    <pre>-a always,exit -F arch=b64 -S execve  -C euid!=uid -F auid!=unset-k user_emulation</pre>
+
+fixtext: |-
+    Configure {{{ full_name }}} to audit the execution of the "execve" system call.
+
+    Add or update the following rules to "/etc/audit/rules.d/audit.rules":
+
+    <pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>
+    <pre>-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>
+
+    The audit daemon must be restarted for the changes to take effect.
+
+platform: machine
+
+srg_requirement: '{{{ full_name }}} must audit the execution of privileged functions.'
diff --git a/...uditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/correct_value.pass.sh b/...uditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+OTHER_FILTERS=" -C euid!=uid -F auid!=unset"
+
+echo "-a always,exit -F arch=b32${OTHER_FILTERS} -S execve -k user_emulation" >> /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F arch=b64${OTHER_FILTERS} -S execve -k user_emulation" >> /etc/audit/rules.d/privileged.rules
diff --git a/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/miss_arch.fail.sh b/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/miss_arch.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+OTHER_FILTERS_EUID=" -C euid!=uid -F auid!=unset"
+
+echo "-a always,exit -F arch=b64${OTHER_FILTERS_EUID} -S execve -k user_emulation" > /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F arch=b32${OTHER_FILTERS_EUID} -S execve -k user_emulation" >> /etc/audit/rules.d/privileged.rule
diff --git a/...iting/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/miss_c.fail.sh b/...iting/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/miss_c.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+OTHER_FILTERS=" -F auid!=unset"
+
+echo "-a always,exit -F arch=b32${OTHER_FILTERS} -S execve -k user_emulation" > /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F arch=b64 -C uid!=euid${OTHER_FILTERS} -S execve -k user_emulation" >> /etc/audit/rules.d/privileged.rules
diff --git a/...ing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/no_rules.fail.sh b/...ing/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/no_rules.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+rm -rf /etc/audit/rules.d/privileged.rules
diff --git a/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/other_key.pass.sh b/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/other_key.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = audit
+
+# This tests situation where key value is not std. And also situation where there is extra spaces in rules.
+
+OTHER_FILTERS=" -C    euid!=uid    -F auid!=unset"
+
+echo "  -a   always,exit   -F   arch=b32   ${OTHER_FILTERS}   -S   execve   -F   key=my_setuid-audit-rule  " > /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F arch=b64 ${OTHER_FILTERS} -S execve -k my_setuid-audit-rule" >> /etc/audit/rules.d/privileged.rules
diff --git a/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/use_f_key.pass.sh b/...ng/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/use_f_key.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+OTHER_FILTERS=" -C euid!=uid -F auid!=unset"
+
+echo "-a always,exit -F arch=b32${OTHER_FILTERS_EUID} -S execve -F key=user_emulation" > /etc/audit/rules.d/privileged.rules
+echo "-a always,exit -F arch=b64${OTHER_FILTERS_EUID} -S execve -F key=user_emulation" >> /etc/audit/rules.d/privileged.rules
diff --git a/...ting/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_a.fail.sh b/...ting/auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_a.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+OTHER_FILTERS=" -C euid!=uid -F auid!=unset"
+
+echo "-a never,exit -F arch=b32${OTHER_FILTERS} -S execve -k user_emulation" > /etc/audit/rules.d/privileged.rules
+echo "-a never,exit -F arch=b64${OTHER_FILTERS} -S execve -k user_emulation" >> /etc/audit/rules.d/privileged.rules
diff --git a/...auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_c_euid.fail.sh b/...auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_c_euid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+OTHER_FILTERS_EGID=" -C euid!=gid -F auid!=unset"
+
+echo '-a always,exit -F arch=b32${OTHER_FILTERS_EGID} -S execve -k setuid' > /etc/audit/rules.d/privileged.rules
+echo '-a always,exit -F arch=b64${OTHER_FILTERS_EGID} -S execve -k setuid' >> /etc/audit/rules.d/privileged.rules
diff --git a/...auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_f_auid.fail.sh b/...auditd_configure_rules/audit_rules_suid_privilege_function_cis/tests/wrong_f_auid.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules
+echo '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -156,7 +156,6 @@ CCE-86364-7
 CCE-86365-4
 CCE-86366-2
 CCE-86367-0
-CCE-86368-8
 CCE-86369-6
 CCE-86370-4
 CCE-86371-2
@@ -3468,7 +3467,6 @@ CCE-90204-9
 CCE-90205-6
 CCE-90206-4
 CCE-90207-2
-CCE-90209-8
 CCE-90210-6
 CCE-90211-4
 CCE-90212-2