Change rule to use variable when auditing faillock

Some benchmarks specify different paths when monitoring the faillock
file, depending on if a permanent faillock path has been configured.
This updates the audit_rules_login_event_faillock to use the variable
var_accounts_passwords_pam_faillock_dir instead of the profile
faillock_path

controls/cis_rhel8.yml

@@ -1622,6 +1622,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)

controls/cis_rhel9.yml

@@ -1375,6 +1375,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var

@@ -13,3 +13,4 @@ interactive: false
 options:
     ol8: "/var/log/faillock"
     default: "/var/log/faillock"
+    run: "/var/run/faillock"

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/ansible/shared.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/bash/shared.sh

@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/oval/shared.xml

@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_login_events_faillock" version="2">
+    {{{ oval_metadata("Audit rules should be configured to log successful and unsuccessful login and logout events.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules faillock path" test_ref="test_arle_faillock_path_augenrules" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl faillock path" test_ref="test_arle_faillock_path_auditctl" />
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules faillock path" id="test_arle_faillock_path_augenrules" version="1">
+    <ind:object object_ref="object_arle_faillock_path_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arle_faillock_path_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="object_var_accounts_passwords_pam_faillock_dir_pattern"/>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl faillock path" id="test_arle_faillock_path_auditctl" version="1">
+    <ind:object object_ref="object_arle_faillock_path_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arle_faillock_path_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="object_var_accounts_passwords_pam_faillock_dir_pattern" />
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable id="object_var_accounts_passwords_pam_faillock_dir_pattern"  comment="The composite pattern used to detect if audit as been configured" datatype="string" version="1">
+    <concat>
+      <literal_component>^\-w[\s]+</literal_component>
+      <variable_component var_ref="var_accounts_passwords_pam_faillock_dir"/>
+      <literal_component>[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
+    </concat>
+  </local_variable>
+  <external_variable id="var_accounts_passwords_pam_faillock_dir" comment="Faillock directory" datatype="string" version="1"/>
+</def-group>

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml

@@ -11,12 +11,12 @@ description: |-
     default), add the following lines to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -66,16 +66,11 @@ ocil_clause: 'the command does not return a line, or the line is commented out'
 ocil: |-
     Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
 
-    $ sudo auditctl -l | grep {{{ faillock_path }}}
+    $ sudo auditctl -l | grep {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}
 
-    -w {{{ faillock_path }}} -p wa -k logins
-
-template:
-    name: audit_rules_login_events
-    vars:
-        path: {{{ faillock_path }}}
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
 
 fixtext: |-
-    {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
+    {{{ fixtext_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir"), "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
 
-srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
+srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir")) }}}'

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w {{{ PATH }}} -p w" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa -k login" >> /etc/audit/rules.d/login.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k login" >> /etc/audit/rules.d/login.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa" >> /etc/audit/rules.d/login.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w -k login" >> /etc/audit/rules.d/login.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w" >> /etc/audit/rules.d/login.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml

@@ -10,12 +10,12 @@ description: |-
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>