[Enhancement] [BugFix] Port selected audit DAC && time rules to RHEL-7 && Fedora systems

[iankko]

This patchset ports the following audit DAC and time modification rules:

• audit_rules_mac_modification,
• audit_rules_networkconfig_modification,
• audit_rules_time_watch_localtime,
• audit_rules_time_clock_settime,
• audit_rules_time_stime,
• audit_rules_time_settimeofday, and
• audit_rules_time_adjtimex

to RHEL-7 && Fedora operating systems.

Note: The audit_rules_usergroup_modification has been previously ported to RHEL-7 && Fedora by Shawn, so it was just enabled to be called by default in the common profile for both of the products.

Porting of each rule consists of two corresponding commits:

• the first commit of the pair ports the underlying OVAL check to RHEL-7 && Fedora systems,
• the second commit from the pair updates the XCCDF prose for that rule for both products to reflect the fact there are two locations (induced by use of augenrules vs auditctl tools to load audit rule entries into final /etc/audit/audit.rules file respectively).

Testing report:

Each of the committed changes (the OVAL check port, and also the XCCDF text / prose update) has been tested prior commit on Red Hat Enterprise Linux 7 and Fedora 20 x86_64 architecture based systems, and AFAICT both of the changes for each rule are fine (the OVAL check works for both auditctl && augenrules tools, subsequently the XCCDF prose update is shown in the guide built for that product).

Please review.

Thank you, Jan.

[landscape-bot]

Code quality remained the same when pulling ad97389 on iankko:even_more_rhel7_audit into eb7b3b8 on OpenSCAP:master.

[shawndwells]

link should be updated as

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages

[iankko]

@shawndwells
Updated:

• the "raw audit messages" URLs in both RHEL-7 & Fedora's auditing.xml (RHEL-7 one to point to URL you suggested, updated the Fedora one to point to Fedora 21's documentation),
• audit_rules_time_stime XCCDF prose to more explicitly mention there isn't 64-bit version of the stime system call in the audit lookup table (both in RHEL-7 && Fedora's auditing.xml),
• and replaced couple of lines occurrences with line (dropped the unnecessary comments part so people wouldn't by mistake include just the comment line and omit the actually required audit rule line, and kept only the true audit rule line part).

Feel free to re-review.

Thank you for catching those issues!

Jan

[landscape-bot]

Code quality remained the same when pulling ee269c1 on iankko:even_more_rhel7_audit into eb7b3b8 on OpenSCAP:master.

[iankko]

Kind bump for re-review -- anyone?

[redhatrises]

@iankko I will take it.

[redhatrises]

@iankko looks like testcheck.py errors out on duplicate key sequences when trying to run the rules with <extend_definition comment="64-bit system" definition_ref="system_info_architecture_x86_64" negate="true" /> as it is listed twice. This maybe a separate PR, but it would be nice to get testcheck fixed asap so as not to confuse users using testcheck.py.

[iankko]

@redhatrises

Thanks. I was able to reproduce the issue. The problem is the testcheck.py script when building the testing OVAL check doesn't perform the sanity check if the underlying OVAL entity with the same ID isn't included in the OVAL check already (like e.g. combinechecks.py script is doing), and instead of that blindly copies all OVAL entities from the extended_definition (even in case they have been included already). This obviously allows to create an invalid OVAL content.

I have fixed this issue by submitting a new PR:
    #547

Margin note: As mentioned e.g. in RHEL/7/input/checks/README sometimes it makes sense to duplicate OVAL object in OVAL definition. This PR is one of those cases -- the current layout of <criteria> across the commits in this PR is the straightforward approach:

• we first check if augenrules or auditctl tools are used to load audit rules,
• depending on that, then check if are on 32-bit system. If so, check just the 32-bit variants of the rules. If not (we are on 64-bit system), check also the 64-bit variants of the rules.

It's not possible to use just one occurrence of the system_info_architecture_x86_64 extend definition test, since it would require the logical operations between the different <criterion> elements to be yet more complex (not that straightforward) like they are now. Their reorganization might help testcheck.py not to require the fix in newly submitted PR, but on the other hand the OVAL checks would be less readable / understandable. So I preferred to fix testcheck.py (introduce the sanity check) rather than to modify the existing OVAL checks above.

The issue should be fixed now (under assumption change from #547 is applied together with the changes from this PR).

[redhatrises]

Ack. Will merge this one after #547 is merged.

[redhatrises]

#547 has been merged, so I am merging this one as well.

[iankko]

#547 has been merged, so I am merging this one as well.

Thank you.