Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit watch on /etc/sysconfig/network-scripts #11724

Merged
merged 2 commits into from
Mar 18, 2024
Merged

Audit watch on /etc/sysconfig/network-scripts #11724

merged 2 commits into from
Mar 18, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Mar 18, 2024
edited
Loading

Description:

This PR introduces a new rule audit_rules_networkconfig_modification_network_scripts that checks if an audit watch is configured on /etc/sysconfig/network-scripts. Then, this rule is added to RHEL CIS profiles.

We could add this audit rule to existing rule audit_rules_networkconfig_modification. However, we decided to create a new rule. The rule audit_rules_networkconfig_modification is already overloaded by having many items in a single rule. The rule is also used in many different profiles in many products so the rule scope change could cause unpredicted effects in some of these profiles. Also, we expect /etc/sysconfig/network-scripts to be deprecated in future RHEL so creating a separate rule will help us to easily exclude this audit rule from other products.

The new rule uses a new template audit_rules_watch, which is also introduced in this PR. This template will allow to easily create rules that check audit file system rules, also called watches.

For more details, please read commit messages of each commit.

Rationale:

RHEL 9 CIS Benchmark Section 4.1.3.5 requires that /etc/sysconfig/network-scripts is audited. Other CIS benchmarks are similar.

Fixes: https://issues.redhat.com/browse/RHEL-29308

@jan-cerny
Add new template audit_rules_watch
d57f5e1 
This template will allow to easily create rules that check audit
file system rules, also called watches.
@jan-cerny
Add rule audit_rules_networkconfig_modification_network_scripts
bdb5ce7 
This commit adds a new rule that checks if an audit watch is configured
on /etc/sysconfig/network-scripts. Then, this rule is added to RHEL CIS
profiles. The CIS Benchmarks require changes on
/etc/sysconfig/network-scripts to be audited. We could add this audit
rule to  existing rule audit_rules_networkconfig_modification. However,
we decided to create a new rule. The rule
audit_rules_networkconfig_modification is already overloaded by having
many items in a single rule. The rule is also used in many different
profiles in many products so the rule scope change could cause
unpredicted effects in some of these profiles. Also, we expect
/etc/sysconfig/network-scripts to be deprecated in future RHEL so
creating a separate rule will help us to easily exclude this audit rule
from other products.

Resolves: RHEL-29308
@jan-cerny jan-cerny added bugfix Fixes to reported bugs. New Rule Issues or pull requests related to new Rules. CIS CIS Benchmark related. labels Mar 18, 2024
@jan-cerny jan-cerny added this to the 0.1.73 milestone Mar 18, 2024
@jan-cerny jan-cerny requested a review from a team as a code owner March 18, 2024 16:00
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11724
This image was built from commit: bdb5ce7

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11724

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11724 make deploy-local

@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 18, 2024

Code Climate has analyzed commit bdb5ce7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Mar 18, 2024
Mab879
Mab879 approved these changes Mar 18, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thanks for your work.

Mab879
Mab879 approved these changes Mar 18, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thanks!

@Mab879 Mab879 merged commit 063d189 into ComplianceAsCode:master Mar 18, 2024
43 of 44 checks passed
@marcusburghardt marcusburghardt mentioned this pull request Apr 3, 2024
Merged
@mpurg mpurg mentioned this pull request Apr 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs. CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @Mab879