-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix auditd rule to watch apparmor instead of selinux on Ubuntu #12790
base: master
Are you sure you want to change the base?
Conversation
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification'.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -7,10 +7,13 @@
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
+
-w /etc/selinux/ -p wa -k MAC-policy
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
+
-w /etc/selinux/ -p wa -k MAC-policy
[reference]:
@@ -371,7 +374,7 @@
10.3
[rationale]:
-The system's mandatory access policy (SELinux) should not be
+The system's mandatory access policy (SELinux or Apparmor) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -2,6 +2,7 @@
if rpm --quiet -q audit && rpm --quiet -q kernel; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
# |
Code Climate has analyzed commit 7e3e742 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
/ok-to-test |
@mpurg thank you for the PR. I reviewed it and I understand its purpose. However, I wonder if this is an optimal way. |
@vojtapolasek thanks for reviewing. I agree that your solution is cleaner. To clarify, the reason I adapted the existing rule was to avoid introducing a breaking change downstream when using customized tailoring files. I.e. if a user disabled this rule using a tailoring file, and the rule was now renamed, the rule would no longer be disabled with the same tailoring file. Additionally, I assumed it was ok to modify the existing rule since the rule id contains |
Description:
audit_rules_mac_modifications
to watch apparmor dirs/etc/apparmor
and/etc/apparmor.d
instead of/etc/selinux
on Ubuntu