You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
scap-security-guide/SOURCES/scap-security-guide-0.1.70-...

264 lines
12 KiB

From 09b4ceaba513e23ee933349f8a89b9c9b7dc1c26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Dec 2023 10:02:00 +0100
Subject: [PATCH 14/14] Add variable support to `auditd_name_format` rule
Patch-name: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
Patch-status: Add variable support to `auditd_name_format` rule
---
controls/srg_gpos.yml | 1 +
.../auditd_name_format/ansible/shared.yml | 7 +-
.../auditd_name_format/bash/shared.sh | 7 +-
.../auditd_name_format/oval/shared.xml | 49 ++++-
.../auditd_name_format/rule.yml | 23 ++-
.../var_auditd_flush.var | 2 +-
.../var_auditd_name_format.var | 18 ++
products/rhel7/profiles/stig.profile | 1 +
products/rhel8/profiles/stig.profile | 1 +
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
15 files changed, 289 insertions(+), 24 deletions(-)
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
index 1be70cf332..45fe8635c0 100644
--- a/controls/srg_gpos.yml
+++ b/controls/srg_gpos.yml
@@ -29,3 +29,4 @@ controls:
- var_auditd_space_left_action=email
- login_banner_text=dod_banners
- var_authselect_profile=sssd
+ - var_auditd_name_format=stig
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
index c933228357..015e9d6eff 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
@@ -10,9 +10,14 @@
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
{{%- endif %}}
+{{{ ansible_instantiate_variables("var_auditd_name_format") }}}
+
+- name: "{{{ rule_title }}} - Define Value to Be Used in the Remediation"
+ ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0] }}"
+
{{{ ansible_set_config_file(file=auditd_conf_path,
parameter="name_format",
- value="hostname",
+ value="{{ auditd_name_format_split }}",
create=true,
separator=" = ",
separator_regex="\s*=\s*",
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
index 67a1203dd5..a08fddc901 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
@@ -10,9 +10,14 @@
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
{{%- endif %}}
+
+{{{ bash_instantiate_variables("var_auditd_name_format") }}}
+
+var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
+
{{{set_config_file(path=auditd_conf_path,
parameter="name_format",
- value="hostname",
+ value="$var_auditd_name_format",
create=true,
insensitive=true,
separator=" = ",
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
index 1bb86958fa..a98a46773b 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
@@ -3,10 +3,47 @@
{{% else %}}
{{% set audisp_conf_file = "/auditd.conf" %}}
{{% endif %}}
+<def-group>
+ <definition class="compliance" id="auditd_name_format" version="1">
+ <metadata>
+ <title>Set type of computer node name logging in audit logs</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in {{{ audisp_conf_path + audisp_conf_file }}}</description>
+ </metadata>
+ <criteria comment="The respective application or service is configured correctly"
+ operator="OR"><criterion comment="Check the name_format in {{{ audisp_conf_path + audisp_conf_file }}}"
+ test_ref="test_auditd_name_format" />
+ </criteria>
+ </definition>
-{{{ oval_check_config_file(
- path=audisp_conf_path + audisp_conf_file,
- prefix_regex="^[ \\t]*(?i)",
- parameter="name_format",
- value="(?i)hostname(?-i)",
- separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of name_format setting in the {{{ audisp_conf_path + audisp_conf_file }}} file"
+ id="test_auditd_name_format" version="1">
+ <ind:object object_ref="obj_auditd_name_format" />
+ <ind:state state_ref="state_auditd_name_format" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_auditd_name_format" version="1">
+ <ind:filepath>{{{ audisp_conf_path + audisp_conf_file }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_auditd_name_format" version="1">
+ <ind:subexpression operation="pattern match" var_ref="var_auditd_name_format_regex" />
+ </ind:textfilecontent54_state>
+
+ <local_variable datatype="string" id="var_auditd_name_format_regex" version="1"
+ comment="Build regex to be case insensitive">
+ <concat>
+ <literal_component>(?i)</literal_component>
+ <variable_component var_ref="var_auditd_name_format"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="audit name_format setting" datatype="string"
+ id="var_auditd_name_format" version="1" />
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
index 76a908f28f..4ee80e3d07 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -1,11 +1,11 @@
documentation_complete: true
-title: 'Set hostname as computer node name in audit logs'
+title: 'Set type of computer node name logging in audit logs'
description: |-
- To configure Audit daemon to use value returned by gethostname
- syscall as computer node name in the audit events,
- set <tt>name_format</tt> to <tt>hostname</tt>
+ To configure Audit daemon to use a unique identifier
+ as computer node name in the audit events,
+ set <tt>name_format</tt> to <tt>{{{ xccdf_value("var_auditd_name_format") }}}</tt>
in <tt>/etc/audit/auditd.conf</tt>.
rationale: |-
@@ -32,17 +32,22 @@ references:
stigid@rhel8: RHEL-08-030062
stigid@rhel9: RHEL-09-653060
-ocil_clause: name_format isn't set to hostname
+ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}}
ocil: |-
- To verify that Audit Daemon is configured to record the hostname
- in audit events, run the following command:
+ To verify that Audit Daemon is configured to record the computer node
+ name in the audit events, run the following command:
<pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>
The output should return the following:
- <pre>name_format = hostname</pre>
+ <pre>name_format = {{{ xccdf_value("var_auditd_name_format") }}}</pre>
+
+warnings:
+ - general: |-
+ Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example
+ <pre>A|B|C</pre>, the first value will be used when remediating this rule.
fixtext: |-
- {{{ fixtext_audit_configuration(param="name_format", value="hostname") | indent(4) }}}
+ {{{ fixtext_audit_configuration(param="name_format", value=xccdf_value("var_auditd_name_format")) | indent(4) }}}
srg_requirement: |-
{{{ full_name }}} must label all off-loaded audit logs before sending them to the central log server.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
index 3ae67d484a..f7b0bc5b8f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
@@ -13,5 +13,5 @@ options:
default: data
incremental: incremental
incremental_async: incremental_async
- none: none
+ none: "none"
sync: sync
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
new file mode 100644
index 0000000000..75cc597038
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Type of hostname to record the audit event'
+
+description: 'Type of hostname to record the audit event'
+
+type: string
+
+interactive: false
+
+options:
+ default: hostname
+ hostname: hostname
+ fqd: fqd
+ numeric: numeric
+ user: user
+ none: "none"
+ stig: hostname|fqd|numeric
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
index 6483dfe3da..1e1e50765a 100644
--- a/products/rhel7/profiles/stig.profile
+++ b/products/rhel7/profiles/stig.profile
@@ -335,6 +335,7 @@ selections:
- accounts_authorized_local_users
- auditd_overflow_action
- auditd_name_format
+ - var_auditd_name_format=stig
- sebool_ssh_sysadm_login
- sudoers_default_includedir
- package_aide_installed
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 0e136784a1..3914fae78f 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -707,6 +707,7 @@ selections:
# RHEL-08-030062
- auditd_name_format
+ - var_auditd_name_format=stig
# RHEL-08-030063
- auditd_log_format
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7aabec8694..60dc9d3a50 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -473,6 +473,7 @@ selections:
- var_auditd_disk_error_action=rhel8
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=rhel8
+- var_auditd_name_format=stig
- var_sssd_certificate_verification_digest_function=sha1
- login_banner_text=dod_banners
- var_authselect_profile=sssd
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index bef1437536..b77c8eab2f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -481,6 +481,7 @@ selections:
- var_auditd_disk_error_action=rhel8
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=rhel8
+- var_auditd_name_format=stig
- var_sssd_certificate_verification_digest_function=sha1
- login_banner_text=dod_banners
- var_authselect_profile=sssd
--
2.43.0