Closed ggbecker closed 2 weeks ago
github-actions[bot]
commented
3 weeks ago Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
github-actions[bot]
commented
3 weeks ago Change in Ansible shell module found.
Please consider using more suitable Ansible module than shell if possible.
github-actions[bot]
commented
3 weeks ago Change in Ansible shell module found.
Please consider using more suitable Ansible module than shell if possible.
codeclimate[bot]
commented
3 weeks ago Code Climate has analyzed commit d13c361d and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 60.9% (0.0% change).
View more on Code Climate.
ggbecker
commented
3 weeks ago Looks like the problem has been fixed.
TASK [Check the rules script being used] ***************************************
ok: [192.168.122.237] => {"changed": false, "cmd": ["grep", "^ExecStart", "/usr/lib/systemd/system/audit-rules.service"], "delta": "0:00:00.001622", "end": "2024-10-28 18:55:49.652923", "failed_when_result": false, "msg": "", "rc": 0, "start": "2024-10-28 18:55:49.651301", "stderr": "", "stderr_lines": [], "stdout": "ExecStart=/sbin/augenrules --load", "stdout_lines": ["ExecStart=/sbin/augenrules --load"]}
TASK [Set suid_audit_rules fact] ***********************************************
ok: [192.168.122.237] => (Redacted by Contest)
TASK [Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions] ***
changed: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "backup": "", "changed": true, "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "msg": "line added"}
changed: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "backup": "", "changed": true, "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "msg": "line added"}
TASK [Update Update /etc/audit/audit.rules to audit privileged functions] ******
skipping: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "changed": false, "false_condition": "\"auditctl\" in check_rules_scripts_result.stdout", "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b32[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "skip_reason": "Conditional result was False"}
skipping: [192.168.122.237] => (item={'rule': '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation', 'regex': '^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$'}) => {"ansible_loop_var": "item", "changed": false, "false_condition": "\"auditctl\" in check_rules_scripts_result.stdout", "item": {"regex": "^[\\s]*-a[\\s]+always,exit[\\s]+-F[\\s]+arch=b64[\\s]+-C[\\s]+euid!=uid[\\s]+-F[\\s]+auid!=unset[\\s]+-S[\\s]+execve[\\s]+(?:-k[\\s]+|-F[\\s]+key=)[\\S]+[\\s]*$", "rule": "-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation"}, "skip_reason": "Conditional result was False"}
skipping: [192.168.122.237] => {"changed": false, "msg": "All items skipped"}
TASK [Restart Auditd] **********************************************************
changed: [192.168.122.237] => {"changed": true, "cmd": ["/usr/sbin/service", "auditd", "restart"], "delta": "0:00:01.095532", "end": "2024-10-28 18:55:51.352516", "msg": "", "rc": 0, "start": "2024-10-28 18:55:50.256984", "stderr": "", "stderr_lines": [], "stdout": "Redirecting start to /bin/systemctl start auditd.service", "stdout_lines": ["Redirecting start to /bin/systemctl start auditd.service"]}
vojtapolasek
commented
3 weeks ago Hello, this rule rings a bell for me. Please note this: https://github.com/ComplianceAsCode/content/pull/12359#issuecomment-2329320324 So the rule might not be working as expected.
ggbecker
commented
3 weeks ago Hello, this rule rings a bell for me. Please note this: #12359 (comment) So the rule might not be working as expected.
I was able to fix the remediation issue with this pull request, but I haven't done any further testing to see if the rules are actually being loaded by the auditd service. But I'd assume the test would not work if the rules were not loaded correctly. This rule is part of RHEL9 CIS profile and there it is working as expected.
Mab879
commented
2 weeks ago Waving Automatus tests since these rules are not applicable in VMs.
Description:
Rationale: