Merge pull request #10491 from marcusburghardt/cis_audit_kernel_modules

Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9
ComplianceAsCode · Apr 27, 2023 · 6cb16a0 · 6cb16a0
2 parents 6c3e26b + 12305ec
commit 6cb16a0
Show file tree

Hide file tree

Showing 16 changed files with 226 additions and 22 deletions.
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -1660,19 +1660,19 @@ controls:
     rules:
       - audit_rules_privileged_commands_usermod
 
-  # NEEDS RULE
   - id: 4.1.3.19
     title: Ensure kernel module loading, unloading and modification is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: partial
+    status: automated
     rules:
+      - audit_rules_kernel_module_loading_create
       - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_finit
       - audit_rules_kernel_module_loading_init
-      - audit_rules_privileged_commands_insmod
-      - audit_rules_privileged_commands_modprobe
-      - audit_rules_privileged_commands_rmmod
+      - audit_rules_kernel_module_loading_query
+      - audit_rules_privileged_commands_kmod
 
   - id: 4.1.3.20
     title: Ensure the audit configuration is immutable (Automated)

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1412,19 +1412,19 @@ controls:
     rules:
       - audit_rules_privileged_commands_usermod
 
-  # NEEDS RULE
   - id: 4.1.3.19
     title: Ensure kernel module loading, unloading and modification is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: partial
+    status: automated
     rules:
+      - audit_rules_kernel_module_loading_create
       - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_finit
       - audit_rules_kernel_module_loading_init
-      - audit_rules_privileged_commands_insmod
-      - audit_rules_privileged_commands_modprobe
-      - audit_rules_privileged_commands_rmmod
+      - audit_rules_kernel_module_loading_query
+      - audit_rules_privileged_commands_kmod
 
   - id: 4.1.3.20
     title: Ensure the audit configuration is immutable (Automated)

diff --git a/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml b/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux3,ol7,rhel7
+prodtype: alinux3,ol7,rhel7,rhel8,rhel9
 
 title: 'Ensure auditd Collects Information on Kernel Module Unloading - create_module'
 
@@ -25,9 +25,13 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-86115-3
+    cce@rhel8: CCE-88435-3
+    cce@rhel9: CCE-88436-1
 
 references:
     cis@alinux3: 4.1.3.26
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
     disa: CCI-000172
     srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
     stigid@ol7: OL07-00-030819

diff --git a/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -43,7 +43,8 @@ references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.17
-    cis@rhel8: 4.1.15
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
     disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884

diff --git a/...es/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/ansible/shared.yml b/...es/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/ansible/shared.yml
@@ -0,0 +1,58 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# disruption = low
+# strategy = configure
+
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+
+# What architecture are we on?
+
+- name: Set architecture for audit query_module tasks
+  set_fact:
+    audit_arch: "b64"
+  when:
+  - ansible_architecture == "aarch64" or
+    ansible_architecture == "ppc64" or
+    ansible_architecture == "ppc64le" or
+    ansible_architecture == "s390x" or
+    ansible_architecture == "x86_64"
+
+- name: Perform remediation of Audit rules for query_module for x86 platform
+  block:
+    {{{ ansible_audit_augenrules_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b32",
+      other_filters="",
+      auid_filters=auid_filters,
+      syscalls=["query_module"],
+      key="module-change",
+      syscall_grouping=["init_module","query_module"],
+      )|indent(4) }}}
+    {{{ ansible_audit_auditctl_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b32",
+      other_filters="",
+      auid_filters=auid_filters,
+      syscalls=["query_module"],
+      key="module-change",
+      syscall_grouping=["init_module","query_module"],
+      )|indent(4) }}}
+
+- name: Perform remediation of Audit rules for query_module for x86_64 platform
+  block:
+    {{{ ansible_audit_augenrules_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b64",
+      other_filters="",
+      auid_filters=auid_filters,
+      syscalls=["query_module"],
+      key="module-change",
+      syscall_grouping=["init_module","query_module"],
+      )|indent(4) }}}
+    {{{ ansible_audit_auditctl_add_syscall_rule(
+      action_arch_filters="-a always,exit -F arch=b64",
+      other_filters="",
+      auid_filters=auid_filters,
+      syscalls=["query_module"],
+      key="module-change",
+      syscall_grouping=["init_module","query_module"],
+      )|indent(4) }}}
+  when: audit_arch == "b64"
diff --git a/..._rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/bash/shared.sh b/..._rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/bash/shared.sh
@@ -0,0 +1,22 @@
+# platform = multi_platform_all
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+	SYSCALL="query_module"
+	KEY="modules"
+	SYSCALL_GROUPING="init_module query_module"
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+done
diff --git a/...rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/oval/shared.xml b/...rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/oval/shared.xml
@@ -0,0 +1,69 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules 32-bit query_module" test_ref="test_32bit_ardm_query_module_augenrules" />
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of 32-bit version of query_module audit DAC rule -->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of query_module audit DAC rule -->
+          <criterion comment="audit augenrules 64-bit query_module" test_ref="test_64bit_ardm_query_module_augenrules" />
+        </criteria>
+      </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl 32-bit query_module" test_ref="test_32bit_ardm_query_module_auditctl" />
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of 32-bit version of the query_module audit DAC rule -->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of query_module audit DAC rule -->
+          <criterion comment="audit auditctl 64-bit query_module" test_ref="test_64bit_ardm_query_module_auditctl" />
+        </criteria>
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit query_module" id="test_32bit_ardm_query_module_augenrules" version="1">
+    <ind:object object_ref="object_32bit_ardm_query_module_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_query_module_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit query_module" id="test_64bit_ardm_query_module_augenrules" version="1">
+    <ind:object object_ref="object_64bit_ardm_query_module_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_query_module_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit query_module" id="test_32bit_ardm_query_module_auditctl" version="1">
+    <ind:object object_ref="object_32bit_ardm_query_module_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_query_module_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit query_module" id="test_64bit_ardm_query_module_auditctl" version="1">
+    <ind:object object_ref="object_64bit_ardm_query_module_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_query_module_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml b/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module'
+
+description: |-
+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+    to read audit rules during daemon startup (the default), add the following lines to a file
+    with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+    loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+    <pre>-a always,exit -F arch=<i>ARCH</i> -S query_module -F auid>=1000 -F auid!=unset -F key=modules</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+    rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+    in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+    b64 as appropriate for your system:
+    <pre>-a always,exit -F arch=<i>ARCH</i> -S query_module -F auid>=1000 -F auid!=unset -F key=modules</pre>
+
+rationale: |-
+    The addition/removal of kernel modules can be used to alter the behavior of
+    the kernel and potentially introduce malicious code into kernel space. It is important
+    to have an audit trail of modules that have been introduced into the kernel.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-88748-9
+    cce@rhel9: CCE-88749-7
+
+references:
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
+
+{{{ complete_ocil_entry_audit_syscall(syscall="query_module") }}}
+
+fixtext: |-
+    {{{ fixtext_audit_rules("query_module", "module_chng") | indent(4) }}}
+
+srg_requirement: '{{{ srg_requirement_audit_command("query_module") }}}'
diff --git a/...kernel_module_loading/audit_rules_kernel_module_loading_query/tests/correct_rules.pass.sh b/...kernel_module_loading/audit_rules_kernel_module_loading_query/tests/correct_rules.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "-a always,exit -F arch=b32 -S query_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules
+echo "-a always,exit -F arch=b64 -S query_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules
diff --git a/..._module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh b/..._module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# packages = audit
+
+rm -f /etc/audit/rules.d/*
+
+echo "-a always,exit -F arch=b32 -S query_module -k modules" >> /etc/audit/rules.d/modules.rules
+echo "-a always,exit -F arch=b64 -S query_module -k modules" >> /etc/audit/rules.d/modules.rules
diff --git a/...udit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/no_rules.fail.sh b/...udit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/no_rules.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = bash
+# packages = audit
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/...configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/...configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
@@ -36,8 +36,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16

diff --git a/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -45,6 +45,8 @@ identifiers:
 references:
     anssi: BP28(R73)
     cis@alinux3: 4.1.3.20
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
     disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a)
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222

diff --git a/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
@@ -40,8 +40,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16

diff --git a/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
@@ -36,8 +36,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1901,8 +1901,6 @@ CCE-88431-2
 CCE-88432-0
 CCE-88433-8
 CCE-88434-6
-CCE-88435-3
-CCE-88436-1
 CCE-88438-7
 CCE-88442-9
 CCE-88443-7
@@ -2182,8 +2180,6 @@ CCE-88740-6
 CCE-88741-4
 CCE-88743-0
 CCE-88744-8
-CCE-88748-9
-CCE-88749-7
 CCE-88750-5
 CCE-88751-3
 CCE-88752-1