search

GovReady / govready

Toolkit for getting open source apps ready for secure, approved government use
GNU General Public License v3.0
97 stars 31 forks source link

SSG Audit Rule tests may only be picking up 32 bit architecture tests #65

Closed gregelin closed 9 years ago

gregelin commented 9 years ago

The only difference between to the below two oscap evaluations is the inclusion of the audit rule for 32bit architecture in the audit rules when the second evaluation is run.

[root@vagrant myfisma]# govready rule audit_rules_dac_modification_fchmod
[GovReady] Checking scan results for rule audit_rules_dac_modification_fchmod to scap/content
[GovReady] Running command: "xsltproc --stringparam ruleid audit_rules_dac_modification_fchmod .govready/xml/ruleinfo.xsl scans/results.xml"

Rule "audit_rules_dac_modification_fchmod" (AKA CCE-27174-2) had result "fail" in most recent scan.
The oval definition is "oval:ssg:def:567" in file "ssg-rhel6-oval.xml"

Evaluate rule's oval test: govready rule audit_rules_dac_modification_fchmod
OpenSCAP oval eval command: oscap oval eval --id oval:ssg:def:567 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
[GovReady] Running command: "oscap oval eval --id oval:ssg:def:567 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml"
Definition oval:ssg:def:567: false
Evaluation done.
[root@vagrant myfisma]# vim /etc/audit/audit.rules
[root@vagrant myfisma]# govready rule audit_rules_dac_modification_fchmod
[GovReady] Checking scan results for rule audit_rules_dac_modification_fchmod to scap/content
[GovReady] Running command: "xsltproc --stringparam ruleid audit_rules_dac_modification_fchmod .govready/xml/ruleinfo.xsl scans/results.xml"

Rule "audit_rules_dac_modification_fchmod" (AKA CCE-27174-2) had result "fail" in most recent scan.
The oval definition is "oval:ssg:def:567" in file "ssg-rhel6-oval.xml"

Evaluate rule's oval test: govready rule audit_rules_dac_modification_fchmod
OpenSCAP oval eval command: oscap oval eval --id oval:ssg:def:567 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
[GovReady] Running command: "oscap oval eval --id oval:ssg:def:567 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml"
Definition oval:ssg:def:567: true
Evaluation done.
gregelin commented 9 years ago

Further testing shows that audit control line for both 32 bit and 64 bit must be in place for the audit test to past.

This will fail in /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
#-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

This will fail in /etc/audit/audit.rules:

#-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

This passes in /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
gregelin commented 9 years ago

Thanks to @djk29a, for explaining that both arch 32 and 64 need to be included in audit file because it is not possible to know if the computer will be booted in 64 or 32 bit mode or for which architecture a binary is compiled. Updated template audit.rules-rhel6 file with controls for 32 and 64.

Closed 74944d530d26afb8a0d405246db92684aeb8c73f and commit e3f51f0a219695ae511f3ef2f258c60a563c4ed5