From ceb7ea6459b7fe05e04b17e1d5192537a22fc8ea Mon Sep 17 00:00:00 2001
From: Mackemania <8738793+Mackemania@users.noreply.github.com>
Date: Tue, 22 Aug 2023 10:12:42 +0200
Subject: [PATCH] Change rule to use variable when auditing faillock

Some benchmarks specify different paths when monitoring the faillock
file, depending on if a permanent faillock path has been configured.
This updates the audit_rules_login_event_faillock to use the variable
var_accounts_passwords_pam_faillock_dir instead of the profile
faillock_path
---
 controls/cis_rhel8.yml                        |  1 +
 controls/cis_rhel9.yml                        |  1 +
 ...ar_accounts_passwords_pam_faillock_dir.var |  1 +
 .../rule.yml                                  | 16 +++++++++-------
 .../audit_login_events/group.yml              |  4 ++--
 .../audit_rules_login_events/ansible.template |  6 ++++++
 .../audit_rules_login_events/bash.template    |  6 ++++++
 .../audit_rules_login_events/oval.template    | 19 ++++++++++++++++---
 .../tests/auditctl_correct.pass.sh            |  6 +++++-
 .../auditctl_correct_extra_permission.pass.sh |  6 +++++-
 .../auditctl_correct_without_key.pass.sh      |  6 +++++-
 .../tests/auditctl_wrong_rule.fail.sh         |  7 ++++++-
 .../auditctl_wrong_rule_without_key.fail.sh   |  6 +++++-
 .../tests/augenrules_correct.pass.sh          |  6 +++++-
 ...ugenrules_correct_extra_permission.pass.sh |  6 +++++-
 .../augenrules_correct_without_key.pass.sh    |  6 +++++-
 .../tests/augenrules_wrong_rule.fail.sh       |  6 +++++-
 .../augenrules_wrong_rule_without_key.fail.sh |  6 +++++-
 18 files changed, 93 insertions(+), 22 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 09d049c9dee8..12b71cadd2d2 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1622,6 +1622,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 81cb3e31e8ef..954bd8b7f534 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -1375,6 +1375,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
index 6dfa79aa3088..1cd7df8c8906 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
@@ -13,3 +13,4 @@ interactive: false
 options:
     ol8: "/var/log/faillock"
     default: "/var/log/faillock"
+    run: "/var/run/faillock"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
index 6a073f18309c..93a43951456b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -11,12 +11,12 @@ description: |-
     default), add the following lines to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -66,16 +66,18 @@ ocil_clause: 'the command does not return a line, or the line is commented out'
 ocil: |-
     Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
 
-    $ sudo auditctl -l | grep {{{ faillock_path }}}
+    $ sudo auditctl -l | grep {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}
 
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
 
 template:
     name: audit_rules_login_events
     vars:
-        path: {{{ faillock_path }}}
+        path: var_accounts_passwords_pam_faillock_dir
+        path_is_variable: "true"
+
 
 fixtext: |-
-    {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
+    {{{ fixtext_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir"), "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
 
-srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
+srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir")) }}}'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
index d54032a4d218..184bbc332919 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
@@ -10,12 +10,12 @@ description: |-
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template
index 2ccdb54835fb..6972e4450e76 100644
--- a/shared/templates/audit_rules_login_events/ansible.template
+++ b/shared/templates/audit_rules_login_events/ansible.template
@@ -4,5 +4,11 @@
 # complexity = low
 # disruption = low
 
+{{% if PATH_IS_VARIABLE %}}
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
+{{% else %}}
 {{{ ansible_audit_augenrules_add_watch_rule(path=PATH, permissions='wa', key='logins') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path=PATH, permissions='wa', key='logins') }}}
+{{% endif %}}
\ No newline at end of file
diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
index c94b10739806..3c924ee40755 100644
--- a/shared/templates/audit_rules_login_events/bash.template
+++ b/shared/templates/audit_rules_login_events/bash.template
@@ -2,5 +2,11 @@
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
+{{% else %}}
 {{{ bash_fix_audit_watch_rule("auditctl", PATH, "wa", "logins") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", PATH, "wa", "logins") }}}
+{{% endif %}}
\ No newline at end of file
diff --git a/shared/templates/audit_rules_login_events/oval.template b/shared/templates/audit_rules_login_events/oval.template
index f173fc8fa369..669211b24afa 100644
--- a/shared/templates/audit_rules_login_events/oval.template
+++ b/shared/templates/audit_rules_login_events/oval.template
@@ -24,7 +24,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_arle_{{{ NAME }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match" var_ref="{{{ NAME }}}_path_pattern"/>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -33,8 +33,21 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_arle_{{{ NAME }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match" var_ref="{{{ NAME }}}_path_pattern" />
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-
+  <local_variable id="{{{ NAME }}}_path_pattern"  comment="The composite pattern used to detect if audit as been configured" datatype="string" version="1">
+    <concat>
+      <literal_component>^\-w[\s]+</literal_component>
+  {{% if PATH_IS_VARIABLE %}}
+      <variable_component var_ref="var_accounts_passwords_pam_faillock_dir"/>
+  {{% else %}}
+      <literal_component>{{{ PATH }}}</literal_component>
+  {{% endif %}}
+      <literal_component>[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
+    </concat>
+  </local_variable>
+  {{% if PATH_IS_VARIABLE %}}
+  <external_variable id="var_accounts_passwords_pam_faillock_dir" comment="Faillock directory" datatype="string" version="1"/>
+  {{% endif %}}
 </def-group>
diff --git a/shared/templates/audit_rules_login_events/tests/auditctl_correct.pass.sh b/shared/templates/audit_rules_login_events/tests/auditctl_correct.pass.sh
index 28541e9180f3..29468cce3a5b 100644
--- a/shared/templates/audit_rules_login_events/tests/auditctl_correct.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/auditctl_correct.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wa -k logins" >> /etc/audit/audit.rules
+{{% endif %}}
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/shared/templates/audit_rules_login_events/tests/auditctl_correct_extra_permission.pass.sh b/shared/templates/audit_rules_login_events/tests/auditctl_correct_extra_permission.pass.sh
index 71a33c4116a1..adbc17ca080f 100644
--- a/shared/templates/audit_rules_login_events/tests/auditctl_correct_extra_permission.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/auditctl_correct_extra_permission.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wra -k logins" >> /etc/audit/audit.rules
+{{% endif %}}
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/shared/templates/audit_rules_login_events/tests/auditctl_correct_without_key.pass.sh b/shared/templates/audit_rules_login_events/tests/auditctl_correct_without_key.pass.sh
index d1ef76e96ff7..2789c9e0a8d9 100644
--- a/shared/templates/audit_rules_login_events/tests/auditctl_correct_without_key.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/auditctl_correct_without_key.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wa" >> /etc/audit/audit.rules
+{{% endif %}}
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule.fail.sh b/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule.fail.sh
index fcb271fdc295..db1b5c0e9ada 100644
--- a/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule.fail.sh
+++ b/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule.fail.sh
@@ -1,5 +1,10 @@
 #!/bin/bash
 # packages = audit
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p w -k logins" >> /etc/audit/audit.rules
+{{% endif %}}
+
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule_without_key.fail.sh b/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule_without_key.fail.sh
index b699bcd91876..12a42e013be3 100644
--- a/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule_without_key.fail.sh
+++ b/shared/templates/audit_rules_login_events/tests/auditctl_wrong_rule_without_key.fail.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p w" >> /etc/audit/audit.rules
+{{% endif %}}
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/shared/templates/audit_rules_login_events/tests/augenrules_correct.pass.sh b/shared/templates/audit_rules_login_events/tests/augenrules_correct.pass.sh
index 13c4bf4a2680..00cac451b884 100644
--- a/shared/templates/audit_rules_login_events/tests/augenrules_correct.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/augenrules_correct.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
 
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wa -k login" >> /etc/audit/rules.d/login.rules
+{{% endif %}}
diff --git a/shared/templates/audit_rules_login_events/tests/augenrules_correct_extra_permission.pass.sh b/shared/templates/audit_rules_login_events/tests/augenrules_correct_extra_permission.pass.sh
index d9ce57dcf9a3..8bf91ba40c9b 100644
--- a/shared/templates/audit_rules_login_events/tests/augenrules_correct_extra_permission.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/augenrules_correct_extra_permission.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
 
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wra -k login" >> /etc/audit/rules.d/login.rules
+{{% endif %}}
diff --git a/shared/templates/audit_rules_login_events/tests/augenrules_correct_without_key.pass.sh b/shared/templates/audit_rules_login_events/tests/augenrules_correct_without_key.pass.sh
index 5f5580472e67..89d686acd62d 100644
--- a/shared/templates/audit_rules_login_events/tests/augenrules_correct_without_key.pass.sh
+++ b/shared/templates/audit_rules_login_events/tests/augenrules_correct_without_key.pass.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
 
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p wa" >> /etc/audit/rules.d/login.rules
+{{% endif %}}
diff --git a/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule.fail.sh b/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule.fail.sh
index f55e71578eb4..30cedc136a5d 100644
--- a/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule.fail.sh
+++ b/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule.fail.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
 
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p w -k login" >> /etc/audit/rules.d/login.rules
+{{% endif %}}
diff --git a/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule_without_key.fail.sh b/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule_without_key.fail.sh
index 73ced69bccae..b1667047d8f5 100644
--- a/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule_without_key.fail.sh
+++ b/shared/templates/audit_rules_login_events/tests/augenrules_wrong_rule_without_key.fail.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # packages = audit
 
-
+{{% if PATH_IS_VARIABLE %}}
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w {{{ PATH }}} -p w" >> /etc/audit/rules.d/login.rules
+{{% endif %}}