search

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-030740 - Rule Update #29

Closed mrabe142 closed 4 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72171 Rule ID: SV-86795r6_rule STIG ID: RHEL-07-030740
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.

Previous Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command occur.

Check for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":

# grep -iw "mount" /etc/audit/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b32 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b32 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

If all uses of the mount command are not being audited, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command occur.

Add or update the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b32 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b32 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

-a always,exit -F arch=b64 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

The audit daemon must be restarted for the changes to take effect.

New Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.

Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":

# grep -iw "mount" /etc/audit/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

If all uses of the "mount" command and syscall are not being audited, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.

Add or update the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount

The audit daemon must be restarted for the changes to take effect.

Noted Differences

redhatrises commented 5 years ago

-F perm=x is missing. Meaning you will only be auditing if someone reads the file.