Mab879
commented
1 month ago This also affects RHEL 8.8, this should also be checked.
Open comps opened 1 month ago
Mab879
commented
1 month ago This also affects RHEL 8.8, this should also be checked.
comps
commented
4 weeks ago This also affects RHEL 8.8, this should also be checked.
While the same test fails on 8.8 as well, it is due to a different audit rules related issue.
The 9.5 issue is the addition of arch=, ie.
--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -35,4 +35,8 @@
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
...
etc.
...which happened quite recently, the 8.8 problem is likely not a recent regression and is of different nature:
--- remediated-datastream/30-ospp-v42.rules
+++ shipped-with-audit/30-ospp-v42.rules
@@ -57 +56,0 @@
--a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
@@ -60,5 +58,0 @@
-## Special case for systemd-run. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-## Special case for pkexec. It is not audit aware, specifically watch it
--a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-Note that the 8.8 problem also seems to occur on 9.0, 9.2 though weirdly not 9.4.
comps
commented
4 weeks ago Okay, so the issue with 8.8 / 9.0 / 9.2 is that they use older audit package versions, which have different sample rules compared to 9.4 and 8.10:
audit-3.0.7-4.el8audit-3.0.7-101.el9_0.2audit-3.0.7-103.el9audit-3.1.2-1.el8audit-3.1.2-2.el9audit-3.1.5-1.el9So the content needs to (upstream or downstream) contain 3 versions of the sample rules,
Description of problem:
https://github.com/linux-audit/audit-userspace/commit/614f7d1f4755ec24927b2613c0919110fb7acc37 brought it new changes to the example watcher rules shipped in RHEL RPMs, we should probably update our contents in
linux_os/guide/auditing/**/rule.ymlto match the updated examples.SCAP Security Guide Version:
a2d0b11e573598c39ab7ad19e89347ee9d9fc399
Operating System Version:
RHEL-9.5
Additional Information/Debugging Steps:
Discovered by
/CoreOS/scap-security-guide/Sanity/audit-sample-rules