Skip to content

Commit

Permalink
Change rule to use variable when auditing faillock
Browse files Browse the repository at this point in the history 
Some benchmarks specify different paths when monitoring the faillock
file, depending on if a permanent faillock path has been configured.
This updates the audit_rules_login_event_faillock to use the variable
var_accounts_passwords_pam_faillock_dir instead of the profile
faillock_path
  • Loading branch information
@Mackemania
Mackemania committed Aug 22, 2023
1 parent 4df8db3 commit ceb7ea6
Show file tree
Hide file tree
Showing 18 changed files with 93 additions and 22 deletions.
1 change: 1 addition & 0 deletions controls/cis_rhel8.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1622,6 +1622,7 @@ controls:
rules:
- audit_rules_login_events_faillock
- audit_rules_login_events_lastlog
- var_accounts_passwords_pam_faillock_dir=run

- id: 4.1.3.13
title: Ensure file deletion events by users are collected (Automated)
Expand Down
1 change: 1 addition & 0 deletions controls/cis_rhel9.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1375,6 +1375,7 @@ controls:
rules:
- audit_rules_login_events_faillock
- audit_rules_login_events_lastlog
- var_accounts_passwords_pam_faillock_dir=run

- id: 4.1.3.13
title: Ensure file deletion events by users are collected (Automated)
Expand Down
1 change: 1 addition & 0 deletions ...ts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ interactive: false
options:
ol8: "/var/log/faillock"
default: "/var/log/faillock"
run: "/var/run/faillock"
16 changes: 9 additions & 7 deletions ...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ description: |-
default), add the following lines to a file with suffix <tt>.rules</tt> in the
directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
<pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
<pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
rationale: |-
Manual editing of these files may indicate nefarious activity, such
Expand Down Expand Up @@ -66,16 +66,18 @@ ocil_clause: 'the command does not return a line, or the line is commented out'
ocil: |-
Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
$ sudo auditctl -l | grep {{{ faillock_path }}}
$ sudo auditctl -l | grep {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}
-w {{{ faillock_path }}} -p wa -k logins
-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
template:
name: audit_rules_login_events
vars:
path: {{{ faillock_path }}}
path: var_accounts_passwords_pam_faillock_dir
path_is_variable: "true"


fixtext: |-
{{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
{{{ fixtext_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir"), "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir")) }}}'
4 changes: 2 additions & 2 deletions linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ description: |-
directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w {{{ faillock_path }}} -p wa -k logins
-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w {{{ faillock_path }}} -p wa -k logins
-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre>
6 changes: 6 additions & 0 deletions shared/templates/audit_rules_login_events/ansible.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,11 @@
# complexity = low
# disruption = low

{{% if PATH_IS_VARIABLE %}}
{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
{{{ ansible_audit_augenrules_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
{{{ ansible_audit_auditctl_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
{{% else %}}
{{{ ansible_audit_augenrules_add_watch_rule(path=PATH, permissions='wa', key='logins') }}}
{{{ ansible_audit_auditctl_add_watch_rule(path=PATH, permissions='wa', key='logins') }}}
{{% endif %}}
6 changes: 6 additions & 0 deletions shared/templates/audit_rules_login_events/bash.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,11 @@

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
{{{ bash_fix_audit_watch_rule("auditctl", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
{{{ bash_fix_audit_watch_rule("augenrules", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
{{% else %}}
{{{ bash_fix_audit_watch_rule("auditctl", PATH, "wa", "logins") }}}
{{{ bash_fix_audit_watch_rule("augenrules", PATH, "wa", "logins") }}}
{{% endif %}}
19 changes: 16 additions & 3 deletions shared/templates/audit_rules_login_events/oval.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arle_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
<ind:pattern operation="pattern match" var_ref="{{{ NAME }}}_path_pattern"/>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

Expand All @@ -33,8 +33,21 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arle_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
<ind:pattern operation="pattern match" var_ref="{{{ NAME }}}_path_pattern" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

<local_variable id="{{{ NAME }}}_path_pattern" comment="The composite pattern used to detect if audit as been configured" datatype="string" version="1">
<concat>
<literal_component>^\-w[\s]+</literal_component>
{{% if PATH_IS_VARIABLE %}}
<variable_component var_ref="var_accounts_passwords_pam_faillock_dir"/>
{{% else %}}
<literal_component>{{{ PATH }}}</literal_component>
{{% endif %}}
<literal_component>[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
</concat>
</local_variable>
{{% if PATH_IS_VARIABLE %}}
<external_variable id="var_accounts_passwords_pam_faillock_dir" comment="Faillock directory" datatype="string" version="1"/>
{{% endif %}}
</def-group>
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/auditctl_correct.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wa -k logins" >> /etc/audit/audit.rules
{{% endif %}}
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/auditctl_correct_extra_permission.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wra -k logins" >> /etc/audit/audit.rules
{{% endif %}}
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/auditctl_correct_without_key.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wa" >> /etc/audit/audit.rules
{{% endif %}}
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
7 changes: 6 additions & 1 deletion shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
#!/bin/bash
# packages = audit

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p w -k logins" >> /etc/audit/audit.rules
{{% endif %}}

sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule_without_key.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit

{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p w" >> /etc/audit/audit.rules
{{% endif %}}
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/augenrules_correct.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit


{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wa -k login" >> /etc/audit/rules.d/login.rules
{{% endif %}}
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/augenrules_correct_extra_permission.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit


{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wra -k login" >> /etc/audit/rules.d/login.rules
{{% endif %}}
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/augenrules_correct_without_key.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit


{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p wa" >> /etc/audit/rules.d/login.rules
{{% endif %}}
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit


{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p w -k login" >> /etc/audit/rules.d/login.rules
{{% endif %}}
6 changes: 5 additions & 1 deletion shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule_without_key.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
# packages = audit


{{% if PATH_IS_VARIABLE %}}
{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
{{% else %}}
echo "-w {{{ PATH }}} -p w" >> /etc/audit/rules.d/login.rules
{{% endif %}}

0 comments on commit ceb7ea6

Please sign in to comment.