Merge pull request #10223 from rumch-se/rule_audit_rules_mac_modifica…

…tion_usr_share

New SLE 12/15 rule audit_rules_mac_modification_usr_share

controls/cis_sle12.yml

@@ -1166,9 +1166,10 @@ controls:
     levels:
     - l2_server
     - l2_workstation
-    automated: partially # rule for checking audit watch on /usr/share/selinux is missing
+    status: automated 
     rules:
     - audit_rules_mac_modification
+    - audit_rules_mac_modification_usr_share
 
   - id: 4.1.7
     title: Ensure login and logout events are collected (Automated)

controls/cis_sle15.yml

@@ -1338,9 +1338,10 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: partially # rule for checking audit watch on /usr/share/selinux is missing
+    status: automated 
     rules:
       - audit_rules_mac_modification
+      - audit_rules_mac_modification_usr_share
 
   - id: 4.1.7
     title: Ensure login and logout events are collected (Automated)

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_sle
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path="/usr/share/selinux/", permissions="wa", key="MAC-policy") }}}
+
+{{{ ansible_audit_auditctl_add_watch_rule(path="/usr/share/selinux/", permissions="wa", key="MAC-policy") }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh

@@ -0,0 +1,5 @@
+# platform = multi_platform_sle
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{{ bash_fix_audit_watch_rule("auditctl", "/usr/share/selinux/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/usr/share/selinux/", "wa", "MAC-policy") }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/oval/shared.xml

@@ -0,0 +1,40 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (SELinux) in usr/share/selinux are enabled.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules_usr_share case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules in usr/share" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit selinux changes augenrules in /usr/share" test_ref="test_armm_selinux_watch_augenrules_usr_share" />
+      </criteria>
+
+      <!-- Test the auditctl_usr_share case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl in usr/share" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit selinux changes auditctl in usr/share" test_ref="test_armm_selinux_watch_auditctl_usr_share" />
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit selinux changes augenrules in usr/share" id="test_armm_selinux_watch_augenrules_usr_share" version="1">
+    <ind:object object_ref="object_armm_selinux_watch_augenrules_usr_share" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_armm_selinux_watch_augenrules_usr_share" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit selinux changes auditctl in usr/share" id="test_armm_selinux_watch_auditctl_usr_share" version="1">
+    <ind:object object_ref="object_armm_selinux_watch_auditctl_usr_share" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_armm_selinux_watch_auditctl_usr_share" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/rule.yml

@@ -0,0 +1,49 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Mandatory Access Controls in usr/share'
+
+description: |-
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following line to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /usr/share/selinux/ -p wa -k MAC-policy</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /usr/share/selinux/ -p wa -k MAC-policy</pre>
+
+rationale: |-
+    The system's mandatory access policy (SELinux) should not be
+    arbitrarily changed by anything other than administrator action. All changes to
+    MAC policy should be audited.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92400-1
+    cce@sle15: CCE-92515-6
+
+references:
+    cis@sle12: 4.1.6
+    cis@sle15: 4.1.6
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    cui: 3.1.8
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+    isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
+    iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
+    nist: AU-2(d),AU-12(c),CM-6(a)
+    nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
+    ospp: FAU_GEN.1.1.c
+    pcidss: Req-10.5.5
+
+ocil_clause: 'the system is not configured to audit attempts to change the MAC policy'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its SELinux
+    configuration files, run the following command:
+    <pre>$ sudo auditctl -l | grep "dir=/usr/share/selinux"</pre>
+    If the system is configured to watch for changes to its SELinux
+    configuration, a line should be returned (including
+    <tt>perm=wa</tt> indicating permissions that are watched).

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-w /usr/share/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-w /usr/share/selinux/ -p wa" > /etc/audit/audit.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "some value" > /etc/audit/audit.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules
+

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w /usr/share/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_correct_without_key.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w /usr/share/selinux/ -p wa" > /etc/audit/rules.d/MAC-policy.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_missing.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+rm -rf /etc/audit/rules.d/*

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/augen_wrong_value.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -rf /etc/audit/rules.d/*
+echo "-w /etc/group -p w -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules

shared/references/cce-sle12-avail.txt

@@ -67,7 +67,6 @@ CCE-92396-1
 CCE-92397-9
 CCE-92398-7
 CCE-92399-5
-CCE-92400-1
 CCE-92401-9
 CCE-92402-7
 CCE-92403-5

shared/references/cce-sle15-avail.txt

@@ -28,7 +28,6 @@ CCE-92511-5
 CCE-92512-3
 CCE-92513-1
 CCE-92514-9
-CCE-92515-6
 CCE-92516-4
 CCE-92517-2
 CCE-92519-8