From 9921054f14a728bdd6fb8b29945620c4ff3c928a Mon Sep 17 00:00:00 2001 From: rchikov Date: Tue, 3 Oct 2023 09:45:24 +0200 Subject: [PATCH 1/7] A fix into ansible part of the rule audit_rules_suid_privilege_function --- .../ansible/shared.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 252ed0ca688..88b06cff602 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -26,13 +26,6 @@ - name: Service facts ansible.builtin.service_facts: -- name: Check the rules script being used - ansible.builtin.command: - grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service - register: check_rules_scripts_result - changed_when: false - failed_when: false - - name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: @@ -52,8 +45,8 @@ regexp: "{{ item.regex }}" create: yes when: - - '"auditd.service" in ansible_facts.services' - - '"augenrules" in check_rules_scripts_result.stdout' + - ('"auditd.service" in ansible_facts.services' or + '"augenrules.service" in ansible_facts.services') register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" @@ -64,10 +57,11 @@ regexp: "{{ item.regex }}" create: yes when: - - '"auditd.service" in ansible_facts.services' - - '"auditctl" in check_rules_scripts_result.stdout' + - ('"auditd.service" in ansible_facts.services' or + '"augenrules.service" in ansible_facts.services') register: auditctl_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" + {{%- if product in ['sle12', 'sle15'] %}} - name: Restart auditd.service ansible.builtin.systemd: From 89d2e8e26f9867e141e6430c918537179f39ec9b Mon Sep 17 00:00:00 2001 From: rchikov Date: Wed, 4 Oct 2023 12:19:49 +0200 Subject: [PATCH 2/7] Created test cases covering /etc/audit/rules.d/privileged.rules and /etc/audit/audit.rules --- .../tests/correct_value.audit.pass.sh | 15 +++++++++++++++ ...pass.sh => correct_value.privileged.pass.sh} | 0 .../tests/miss_arch.audit.fail.sh | 13 +++++++++++++ ...rch.fail.sh => miss_arch.privileged.fail.sh} | 0 .../tests/miss_c.audit.fail.sh | 12 ++++++++++++ ...miss_c.fail.sh => miss_c.privileged.fail.sh} | 0 .../tests/no_rules.audit.fail.sh | 4 ++++ ...ules.fail.sh => no_rules.privileged.fail.sh} | 0 .../tests/other_key.audit.pass.sh | 17 +++++++++++++++++ ...key.pass.sh => other_key.privileged.pass.sh} | 0 .../tests/use_f_key.audit.pass.sh | 16 ++++++++++++++++ ...key.pass.sh => use_f_key.privileged.pass.sh} | 0 .../tests/wrong_a.audit.fail.sh | 15 +++++++++++++++ ...ong_a.fail.sh => wrong_a.privileged.fail.sh} | 0 .../tests/wrong_c_egid.audit.fail.sh | 15 +++++++++++++++ ....fail.sh => wrong_c_egid.privileged.fail.sh} | 0 .../tests/wrong_c_euid.audit.fail.sh | 15 +++++++++++++++ ....fail.sh => wrong_c_euid.privileged.fail.sh} | 0 .../tests/wrong_f_egid.audit.fail.sh | 10 ++++++++++ ....fail.sh => wrong_f_egid.privileged.fail.sh} | 0 .../tests/wrong_f_euid.audit.fail.sh | 10 ++++++++++ ....fail.sh => wrong_f_euid.privileged.fail.sh} | 0 22 files changed, 142 insertions(+) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value.pass.sh => correct_value.privileged.pass.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch.fail.sh => miss_arch.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c.fail.sh => miss_c.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{no_rules.fail.sh => no_rules.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key.pass.sh => other_key.privileged.pass.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key.pass.sh => use_f_key.privileged.pass.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a.fail.sh => wrong_a.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid.fail.sh => wrong_c_egid.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid.fail.sh => wrong_c_euid.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid.fail.sh => wrong_f_egid.privileged.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid.fail.sh => wrong_f_euid.privileged.fail.sh} (100%) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh new file mode 100644 index 00000000000..70efa63844c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh new file mode 100644 index 00000000000..8bb1e7ee7ef --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh new file mode 100644 index 00000000000..f094705c9ba --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# packages = audit + +{{% if product != "ol8" %}} +OTHER_FILTERS_EUID=" -F euid=0" +OTHER_FILTERS_EGID=" -F egid=0" +{{% endif %}} + +echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve -C uid!=euid${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh new file mode 100644 index 00000000000..2be3484b828 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# packages = audit + +rm -rf /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh new file mode 100644 index 00000000000..68284ffc5c4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# packages = audit + +# This tests situation where key value is not std. And also situation where there is extra spaces in rules. + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo " -a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EGID} -F key=my_setgid-audit-rule " > /etc/audit/audit.rules +echo " -a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EGID} -k my_setgid-audit-rule " >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EUID} -k my_setuid-audit-rule" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EUID} -F key=my_setuid-audit-rule" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh new file mode 100644 index 00000000000..3f35af2d8bf --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# packages = audit + + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh new file mode 100644 index 00000000000..b5e185e142b --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules +echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules +echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules +echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh new file mode 100644 index 00000000000..695a4f524ef --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=egid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh new file mode 100644 index 00000000000..5eda837ded5 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=euid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0" +{{% endif %}} + +echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh new file mode 100644 index 00000000000..f66fc14b101 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# packages = audit +{{% if product == "ol8" %}} +# platform = Not Applicable +{{% endif %}} + +echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 -k setgid' > /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 -k setgid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh new file mode 100644 index 00000000000..e528b8b0bf2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# packages = audit +{{% if product == "ol8" %}} +# platform = Not Applicable +{{% endif %}} + +echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' > /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules +echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh From a519a5a6da0aae286ac6688922c30edcf290c941 Mon Sep 17 00:00:00 2001 From: rchikov Date: Thu, 2 Nov 2023 09:17:03 +0100 Subject: [PATCH 3/7] Additional changes into ansible part --- .../ansible/shared.yml | 47 +++++++++++++++++-- 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 88b06cff602..1e4544ce5e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -26,7 +26,15 @@ - name: Service facts ansible.builtin.service_facts: -- name: Set suid_audit_rules fact +- name: {{{ rule_id }}} - Check the rules script being used + ansible.builtin.command: + grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + changed_when: false + failed_when: false + + +- name: {{{ rule_id }}} - Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - rule: '-a always,exit -F arch=b32 -S execve -C gid!=egid{{{ egid_arg }}} -k setgid' @@ -38,7 +46,34 @@ - rule: '-a always,exit -F arch=b64 -S execve -C uid!=euid{{{ euid_arg }}} -k setuid' regex: {{{ rx_beg + rx_b64 + rx_uid + rx_end }}} -- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions + +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is not empty + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: "{{ item.rule }}" + regexp: "{{ item.regex }}" + create: yes + when: + - '"auditd.service" in ansible_facts.services' + - check_rules_scripts_result.stdout | length > 0 + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_privilege_function_update_result + with_items: "{{ suid_audit_rules }}" + +- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: "{{ item.rule }}" + regexp: "{{ item.regex }}" + create: yes + when: + - '"auditd.service" in ansible_facts.services' + - check_rules_scripts_result.stdout | length > 0 + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_privilege_function_update_result + with_items: "{{ suid_audit_rules }}" + +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is empty ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -47,10 +82,11 @@ when: - ('"auditd.service" in ansible_facts.services' or '"augenrules.service" in ansible_facts.services') + - check_rules_scripts_result.stdout | length == 0 register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: Update Update /etc/audit/audit.rules to audit privileged functions +- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" @@ -59,16 +95,17 @@ when: - ('"auditd.service" in ansible_facts.services' or '"augenrules.service" in ansible_facts.services') + - check_rules_scripts_result.stdout | length == 0 register: auditctl_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" {{%- if product in ['sle12', 'sle15'] %}} -- name: Restart auditd.service +- name: {{{ rule_id }}} - Restart auditd.service ansible.builtin.systemd: name: auditd.service state: restarted {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011 -- name: Restart Auditd +- name: {{{ rule_id }}} - Restart Auditd ansible.builtin.command: /usr/sbin/service auditd restart {{%- endif %}} when: From f7def62c4a02a162608ac53548e031d2b398d68d Mon Sep 17 00:00:00 2001 From: rchikov Date: Tue, 7 Nov 2023 12:56:57 +0100 Subject: [PATCH 4/7] Modification of ansible part and test files, 2 additional tests added --- .../ansible/shared.yml | 8 +++--- .../tests/commented_execstartpost.fail.sh | 9 +++++++ .../tests/commented_execstartpost.pass.sh | 25 +++++++++++++++++++ ...pass.sh => correct_value_auditctl.pass.sh} | 0 ...ss.sh => correct_value_augenrules.pass.sh} | 4 +++ ...dit.fail.sh => miss_arch_auditctl.fail.sh} | 0 ...d.fail.sh => miss_arch_augenrules.fail.sh} | 4 +++ ....audit.fail.sh => miss_c_auditctl.fail.sh} | 0 ...eged.fail.sh => miss_c_augenrules.fail.sh} | 4 +++ .../tests/no_rules.privileged.fail.sh | 4 --- ...udit.fail.sh => no_rules_auditctl.fail.sh} | 0 .../tests/no_rules_augenrules.fail.sh | 8 ++++++ ...dit.pass.sh => other_key_auditctl.pass.sh} | 0 ...d.pass.sh => other_key_augenrules.pass.sh} | 4 +++ ...dit.pass.sh => use_f_key_auditctl.pass.sh} | 0 ...d.pass.sh => use_f_key_augenrules.pass.sh} | 4 +++ ...audit.fail.sh => wrong_a_auditctl.fail.sh} | 0 ...ged.fail.sh => wrong_a_augenrules.fail.sh} | 4 +++ ....fail.sh => wrong_c_egid_auditctl.fail.sh} | 0 ...ail.sh => wrong_c_egid_augenrules.fail.sh} | 4 +++ ....fail.sh => wrong_c_euid_auditctl.fail.sh} | 0 ...ail.sh => wrong_c_euid_augenrules.fail.sh} | 4 +++ ....fail.sh => wrong_f_egid_auditctl.fail.sh} | 0 ...ail.sh => wrong_f_egid_augenrules.fail.sh} | 4 +++ ....fail.sh => wrong_f_euid_auditctl.fail.sh} | 0 ...ail.sh => wrong_f_euid_augenrules.fail.sh} | 4 +++ 26 files changed, 86 insertions(+), 8 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value.audit.pass.sh => correct_value_auditctl.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value.privileged.pass.sh => correct_value_augenrules.pass.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch.audit.fail.sh => miss_arch_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch.privileged.fail.sh => miss_arch_augenrules.fail.sh} (73%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c.audit.fail.sh => miss_c_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c.privileged.fail.sh => miss_c_augenrules.fail.sh} (78%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{no_rules.audit.fail.sh => no_rules_auditctl.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key.audit.pass.sh => other_key_auditctl.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key.privileged.pass.sh => other_key_augenrules.pass.sh} (84%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key.audit.pass.sh => use_f_key_auditctl.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key.privileged.pass.sh => use_f_key_augenrules.pass.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a.audit.fail.sh => wrong_a_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a.privileged.fail.sh => wrong_a_augenrules.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid.audit.fail.sh => wrong_c_egid_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid.privileged.fail.sh => wrong_c_egid_augenrules.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid.audit.fail.sh => wrong_c_euid_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid.privileged.fail.sh => wrong_c_euid_augenrules.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid.audit.fail.sh => wrong_f_egid_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid.privileged.fail.sh => wrong_f_egid_augenrules.fail.sh} (76%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid.audit.fail.sh => wrong_f_euid_auditctl.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid.privileged.fail.sh => wrong_f_euid_augenrules.fail.sh} (76%) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 1e4544ce5e7..e9ac1d88131 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -47,7 +47,7 @@ regex: {{{ rx_beg + rx_b64 + rx_uid + rx_end }}} -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is not empty +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when there exists uncommented ExecStartPost line in auditd.service ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -60,7 +60,7 @@ register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty +- name: {{{ rule_id }}} - Update /etc/audit/audit.rules to audit privileged functions when there exists uncommented ExecStartPost line in auditd.service ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" @@ -73,7 +73,7 @@ register: auditctl_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is empty +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when there exists commented ExecStartPost line in auditd.service ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -86,7 +86,7 @@ register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty +- name: {{{ rule_id }}} - Update /etc/audit/audit.rules to audit privileged functions when there exists commented ExecStartPost line in auditd.service ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh new file mode 100644 index 00000000000..78337fd9d73 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# packages = audit + +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + +rm -rf /etc/audit/audit.rules +rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh new file mode 100644 index 00000000000..172a8ce80f3 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh @@ -0,0 +1,25 @@ + +#!/bin/bash +# packages = audit + +{{% if product == "ol8" %}} +OTHER_FILTERS_EUID=" -C uid!=euid" +OTHER_FILTERS_EGID=" -C gid!=egid" +{{% else %}} +OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" +OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" +{{% endif %}} + +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules + +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules +echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules +echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_auditctl.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_auditctl.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh index e1649094c65..f49ab2c6ef9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh @@ -9,6 +9,10 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh similarity index 73% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh index 207adc58a14..0538132db6b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh @@ -9,5 +9,9 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh similarity index 78% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh index 5c8a4eca309..d9bc42404d3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh @@ -6,6 +6,10 @@ OTHER_FILTERS_EUID=" -F euid=0" OTHER_FILTERS_EGID=" -F egid=0" {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh deleted file mode 100644 index 921e091d145..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# packages = audit - -rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh new file mode 100644 index 00000000000..eedb8a964fb --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# packages = audit + +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + +rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_auditctl.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_auditctl.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh similarity index 84% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh index 0521ea052e1..fa2121a009c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh @@ -11,6 +11,10 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo " -a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EGID} -F key=my_setgid-audit-rule " > /etc/audit/rules.d/privileged.rules echo " -a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EGID} -k my_setgid-audit-rule " >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EUID} -k my_setuid-audit-rule" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_auditctl.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_auditctl.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh index 7e7e76ef1bb..e45e502bcb2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh @@ -10,6 +10,10 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh index 37793e3d92f..9d31262fa7e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh @@ -9,6 +9,10 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh index 9b02b2322e1..20282e8406a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh @@ -9,6 +9,10 @@ OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh index 704a4ebecba..16818c22c76 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh @@ -9,6 +9,10 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0" {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh similarity index 76% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh index 3672eb05375..79fa74364e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh @@ -4,6 +4,10 @@ # platform = Not Applicable {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_auditctl.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_auditctl.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh similarity index 76% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh index b2279cca248..2c1be28f935 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh @@ -4,6 +4,10 @@ # platform = Not Applicable {{% endif %}} +if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then + sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service +fi + echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules From 0543ca526ef03721c80f671216cff11fadfd3937 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 27 Nov 2023 08:48:56 +0100 Subject: [PATCH 5/7] Revert "Modification of ansible part and test files, 2 additional tests added" This reverts commit f7def62c4a02a162608ac53548e031d2b398d68d. --- .../ansible/shared.yml | 8 +++--- .../tests/commented_execstartpost.fail.sh | 9 ------- .../tests/commented_execstartpost.pass.sh | 25 ------------------- ...tl.pass.sh => correct_value.audit.pass.sh} | 0 ...ss.sh => correct_value.privileged.pass.sh} | 4 --- ...ditctl.fail.sh => miss_arch.audit.fail.sh} | 0 ...s.fail.sh => miss_arch.privileged.fail.sh} | 4 --- ..._auditctl.fail.sh => miss_c.audit.fail.sh} | 0 ...ules.fail.sh => miss_c.privileged.fail.sh} | 4 --- ...uditctl.fail.sh => no_rules.audit.fail.sh} | 0 .../tests/no_rules.privileged.fail.sh | 4 +++ .../tests/no_rules_augenrules.fail.sh | 8 ------ ...ditctl.pass.sh => other_key.audit.pass.sh} | 0 ...s.pass.sh => other_key.privileged.pass.sh} | 4 --- ...ditctl.pass.sh => use_f_key.audit.pass.sh} | 0 ...s.pass.sh => use_f_key.privileged.pass.sh} | 4 --- ...auditctl.fail.sh => wrong_a.audit.fail.sh} | 0 ...les.fail.sh => wrong_a.privileged.fail.sh} | 4 --- ...ctl.fail.sh => wrong_c_egid.audit.fail.sh} | 0 ...ail.sh => wrong_c_egid.privileged.fail.sh} | 4 --- ...ctl.fail.sh => wrong_c_euid.audit.fail.sh} | 0 ...ail.sh => wrong_c_euid.privileged.fail.sh} | 4 --- ...ctl.fail.sh => wrong_f_egid.audit.fail.sh} | 0 ...ail.sh => wrong_f_egid.privileged.fail.sh} | 4 --- ...ctl.fail.sh => wrong_f_euid.audit.fail.sh} | 0 ...ail.sh => wrong_f_euid.privileged.fail.sh} | 4 --- 26 files changed, 8 insertions(+), 86 deletions(-) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value_auditctl.pass.sh => correct_value.audit.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value_augenrules.pass.sh => correct_value.privileged.pass.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch_auditctl.fail.sh => miss_arch.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch_augenrules.fail.sh => miss_arch.privileged.fail.sh} (73%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c_auditctl.fail.sh => miss_c.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c_augenrules.fail.sh => miss_c.privileged.fail.sh} (78%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{no_rules_auditctl.fail.sh => no_rules.audit.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key_auditctl.pass.sh => other_key.audit.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key_augenrules.pass.sh => other_key.privileged.pass.sh} (84%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key_auditctl.pass.sh => use_f_key.audit.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key_augenrules.pass.sh => use_f_key.privileged.pass.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a_auditctl.fail.sh => wrong_a.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a_augenrules.fail.sh => wrong_a.privileged.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid_auditctl.fail.sh => wrong_c_egid.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid_augenrules.fail.sh => wrong_c_egid.privileged.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid_auditctl.fail.sh => wrong_c_euid.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid_augenrules.fail.sh => wrong_c_euid.privileged.fail.sh} (80%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid_auditctl.fail.sh => wrong_f_egid.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid_augenrules.fail.sh => wrong_f_egid.privileged.fail.sh} (76%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid_auditctl.fail.sh => wrong_f_euid.audit.fail.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid_augenrules.fail.sh => wrong_f_euid.privileged.fail.sh} (76%) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index e9ac1d88131..1e4544ce5e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -47,7 +47,7 @@ regex: {{{ rx_beg + rx_b64 + rx_uid + rx_end }}} -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when there exists uncommented ExecStartPost line in auditd.service +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is not empty ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -60,7 +60,7 @@ register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update /etc/audit/audit.rules to audit privileged functions when there exists uncommented ExecStartPost line in auditd.service +- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" @@ -73,7 +73,7 @@ register: auditctl_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when there exists commented ExecStartPost line in auditd.service +- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is empty ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -86,7 +86,7 @@ register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update /etc/audit/audit.rules to audit privileged functions when there exists commented ExecStartPost line in auditd.service +- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh deleted file mode 100644 index 78337fd9d73..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.fail.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -# packages = audit - -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - -rm -rf /etc/audit/audit.rules -rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh deleted file mode 100644 index 172a8ce80f3..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/commented_execstartpost.pass.sh +++ /dev/null @@ -1,25 +0,0 @@ - -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules - -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_auditctl.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_auditctl.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh index f49ab2c6ef9..e1649094c65 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value_augenrules.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh @@ -9,10 +9,6 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh similarity index 73% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh index 0538132db6b..207adc58a14 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh @@ -9,9 +9,5 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh similarity index 78% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh index d9bc42404d3..5c8a4eca309 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh @@ -6,10 +6,6 @@ OTHER_FILTERS_EUID=" -F euid=0" OTHER_FILTERS_EGID=" -F egid=0" {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh new file mode 100644 index 00000000000..921e091d145 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# packages = audit + +rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh deleted file mode 100644 index eedb8a964fb..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules_augenrules.fail.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# packages = audit - -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - -rm -rf /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_auditctl.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_auditctl.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh similarity index 84% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh index fa2121a009c..0521ea052e1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key_augenrules.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh @@ -11,10 +11,6 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo " -a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EGID} -F key=my_setgid-audit-rule " > /etc/audit/rules.d/privileged.rules echo " -a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EGID} -k my_setgid-audit-rule " >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EUID} -k my_setuid-audit-rule" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_auditctl.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_auditctl.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh index e45e502bcb2..7e7e76ef1bb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key_augenrules.pass.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh @@ -10,10 +10,6 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ -z $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/#ExecStartPost=/ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh index 9d31262fa7e..37793e3d92f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh @@ -9,10 +9,6 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh index 20282e8406a..9b02b2322e1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh @@ -9,10 +9,6 @@ OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh similarity index 80% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh index 16818c22c76..704a4ebecba 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh @@ -9,10 +9,6 @@ OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0" {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh similarity index 76% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh index 79fa74364e7..3672eb05375 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh @@ -4,10 +4,6 @@ # platform = Not Applicable {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_auditctl.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_auditctl.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh similarity index 76% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh index 2c1be28f935..b2279cca248 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid_augenrules.fail.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh @@ -4,10 +4,6 @@ # platform = Not Applicable {{% endif %}} -if [[ $(grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service) ]]; then - sed -i 's/ExecStartPost=/#ExecStartPost=/g' /usr/lib/systemd/system/auditd.service -fi - echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' >> /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/rules.d/privileged.rules From b63904f9d0ecc2d2739466f13c269b479dfcc7a8 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 27 Nov 2023 08:49:19 +0100 Subject: [PATCH 6/7] Revert "Additional changes into ansible part" This reverts commit a519a5a6da0aae286ac6688922c30edcf290c941. --- .../ansible/shared.yml | 47 ++----------------- 1 file changed, 5 insertions(+), 42 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 1e4544ce5e7..88b06cff602 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -26,15 +26,7 @@ - name: Service facts ansible.builtin.service_facts: -- name: {{{ rule_id }}} - Check the rules script being used - ansible.builtin.command: - grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service - register: check_rules_scripts_result - changed_when: false - failed_when: false - - -- name: {{{ rule_id }}} - Set suid_audit_rules fact +- name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - rule: '-a always,exit -F arch=b32 -S execve -C gid!=egid{{{ egid_arg }}} -k setgid' @@ -46,34 +38,7 @@ - rule: '-a always,exit -F arch=b64 -S execve -C uid!=euid{{{ euid_arg }}} -k setuid' regex: {{{ rx_beg + rx_b64 + rx_uid + rx_end }}} - -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is not empty - ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: "{{ item.rule }}" - regexp: "{{ item.regex }}" - create: yes - when: - - '"auditd.service" in ansible_facts.services' - - check_rules_scripts_result.stdout | length > 0 - - '"augenrules" in check_rules_scripts_result.stdout' - register: augenrules_audit_rules_privilege_function_update_result - with_items: "{{ suid_audit_rules }}" - -- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty - ansible.builtin.lineinfile: - path: /etc/audit/audit.rules - line: "{{ item.rule }}" - regexp: "{{ item.regex }}" - create: yes - when: - - '"auditd.service" in ansible_facts.services' - - check_rules_scripts_result.stdout | length > 0 - - '"auditctl" in check_rules_scripts_result.stdout' - register: auditctl_audit_rules_privilege_function_update_result - with_items: "{{ suid_audit_rules }}" - -- name: {{{ rule_id }}} - Update /etc/audit/rules.d/privileged.rules to audit privileged functions when check_rules_scripts_result is empty +- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: "{{ item.rule }}" @@ -82,11 +47,10 @@ when: - ('"auditd.service" in ansible_facts.services' or '"augenrules.service" in ansible_facts.services') - - check_rules_scripts_result.stdout | length == 0 register: augenrules_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" -- name: {{{ rule_id }}} - Update Update /etc/audit/audit.rules to audit privileged functions when check_rules_scripts_result is not empty +- name: Update Update /etc/audit/audit.rules to audit privileged functions ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: "{{ item.rule }}" @@ -95,17 +59,16 @@ when: - ('"auditd.service" in ansible_facts.services' or '"augenrules.service" in ansible_facts.services') - - check_rules_scripts_result.stdout | length == 0 register: auditctl_audit_rules_privilege_function_update_result with_items: "{{ suid_audit_rules }}" {{%- if product in ['sle12', 'sle15'] %}} -- name: {{{ rule_id }}} - Restart auditd.service +- name: Restart auditd.service ansible.builtin.systemd: name: auditd.service state: restarted {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011 -- name: {{{ rule_id }}} - Restart Auditd +- name: Restart Auditd ansible.builtin.command: /usr/sbin/service auditd restart {{%- endif %}} when: From c1b87fda1270f77ca2cc7d4581d53ec7e5212ab9 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 27 Nov 2023 08:49:30 +0100 Subject: [PATCH 7/7] Revert "Created test cases covering /etc/audit/rules.d/privileged.rules and /etc/audit/audit.rules" This reverts commit 89d2e8e26f9867e141e6430c918537179f39ec9b. --- .../tests/correct_value.audit.pass.sh | 15 --------------- ...privileged.pass.sh => correct_value.pass.sh} | 0 .../tests/miss_arch.audit.fail.sh | 13 ------------- ...rch.privileged.fail.sh => miss_arch.fail.sh} | 0 .../tests/miss_c.audit.fail.sh | 12 ------------ ...miss_c.privileged.fail.sh => miss_c.fail.sh} | 0 .../tests/no_rules.audit.fail.sh | 4 ---- ...ules.privileged.fail.sh => no_rules.fail.sh} | 0 .../tests/other_key.audit.pass.sh | 17 ----------------- ...key.privileged.pass.sh => other_key.pass.sh} | 0 .../tests/use_f_key.audit.pass.sh | 16 ---------------- ...key.privileged.pass.sh => use_f_key.pass.sh} | 0 .../tests/wrong_a.audit.fail.sh | 15 --------------- ...ong_a.privileged.fail.sh => wrong_a.fail.sh} | 0 .../tests/wrong_c_egid.audit.fail.sh | 15 --------------- ....privileged.fail.sh => wrong_c_egid.fail.sh} | 0 .../tests/wrong_c_euid.audit.fail.sh | 15 --------------- ....privileged.fail.sh => wrong_c_euid.fail.sh} | 0 .../tests/wrong_f_egid.audit.fail.sh | 10 ---------- ....privileged.fail.sh => wrong_f_egid.fail.sh} | 0 .../tests/wrong_f_euid.audit.fail.sh | 10 ---------- ....privileged.fail.sh => wrong_f_euid.fail.sh} | 0 22 files changed, 142 deletions(-) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{correct_value.privileged.pass.sh => correct_value.pass.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_arch.privileged.fail.sh => miss_arch.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{miss_c.privileged.fail.sh => miss_c.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{no_rules.privileged.fail.sh => no_rules.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{other_key.privileged.pass.sh => other_key.pass.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{use_f_key.privileged.pass.sh => use_f_key.pass.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_a.privileged.fail.sh => wrong_a.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_egid.privileged.fail.sh => wrong_c_egid.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_c_euid.privileged.fail.sh => wrong_c_euid.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_egid.privileged.fail.sh => wrong_f_egid.fail.sh} (100%) delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/{wrong_f_euid.privileged.fail.sh => wrong_f_euid.fail.sh} (100%) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh deleted file mode 100644 index 70efa63844c..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh deleted file mode 100644 index 8bb1e7ee7ef..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh deleted file mode 100644 index f094705c9ba..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product != "ol8" %}} -OTHER_FILTERS_EUID=" -F euid=0" -OTHER_FILTERS_EGID=" -F egid=0" -{{% endif %}} - -echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve -C uid!=euid${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh deleted file mode 100644 index 2be3484b828..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# packages = audit - -rm -rf /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh deleted file mode 100644 index 68284ffc5c4..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# packages = audit - -# This tests situation where key value is not std. And also situation where there is extra spaces in rules. - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo " -a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EGID} -F key=my_setgid-audit-rule " > /etc/audit/audit.rules -echo " -a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EGID} -k my_setgid-audit-rule " >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EUID} -k my_setuid-audit-rule" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EUID} -F key=my_setuid-audit-rule" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh deleted file mode 100644 index 3f35af2d8bf..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# packages = audit - - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules -echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.privileged.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh deleted file mode 100644 index b5e185e142b..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules -echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules -echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules -echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh deleted file mode 100644 index 695a4f524ef..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=egid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} - -echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh deleted file mode 100644 index 5eda837ded5..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# packages = audit - -{{% if product == "ol8" %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=euid" -{{% else %}} -OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" -OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0" -{{% endif %}} - -echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh deleted file mode 100644 index f66fc14b101..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = audit -{{% if product == "ol8" %}} -# platform = Not Applicable -{{% endif %}} - -echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 -k setgid' > /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 -k setgid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh deleted file mode 100644 index e528b8b0bf2..00000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = audit -{{% if product == "ol8" %}} -# platform = Not Applicable -{{% endif %}} - -echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' > /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules -echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.privileged.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.fail.sh