ComplianceAsCode · Mab879 · Mar 18, 2024 · Mar 18, 2024 · Mar 18, 2024
diff --git a/components/audit.yml b/components/audit.yml
@@ -127,6 +127,7 @@ rules:
 - audit_rules_mac_modification_usr_share
 - audit_rules_media_export
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - audit_rules_privileged_commands
 - audit_rules_privileged_commands_apparmor_parser
 - audit_rules_privileged_commands_at

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -2554,8 +2554,8 @@ controls:
     - l2_workstation
     status: partial
     rules:
-    # TODO: we need to create a rule that adds audit rule for /etc/sysconfig/network-scripts/ directory as well
     - audit_rules_networkconfig_modification
+    - audit_rules_networkconfig_modification_network_scripts
 
   - id: 5.2.3.6
     title: Ensure use of privileged commands are collected (Automated)

@@ -2454,8 +2454,8 @@ controls:
       - l2_workstation
     status: partial
     rules:
-    # TODO: we need to create a rule that adds audit rule for /etc/sysconfig/network-scripts/ directory as well
     - audit_rules_networkconfig_modification
+    - audit_rules_networkconfig_modification_network_scripts
 
   - id: 5.2.3.6
     title: Ensure use of privileged commands are collected (Automated)

@@ -1294,6 +1294,7 @@ controls:
     status: automated
     rules:
       - audit_rules_networkconfig_modification
+      - audit_rules_networkconfig_modification_network_scripts
 
   - id: 4.1.3.6
     title: Ensure use of privileged commands is collected (Automated)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -172,6 +172,17 @@
 
 -   Languages: Ansible, Bash, OVAL
 
+#### audit_rules_watch
+-   Check if there are file system watches configured in audit rules for the given path.
+
+-   Parameters:
+
+    -   **path** - path that should be part of the audit watch rule as a value
+        of `-w` argument, eg. `/etc/group`.
+
+-   Languages: Ansible, Bash, OVAL
+
+
 #### argument_value_in_line
 -   Checks that `argument=value` pair is present in (optionally) the
     line started with line_prefix (and, optionally, ending with

diff --git a/...ng/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml b/...ng/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Network Environment'
+
+description: |-
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following line to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts</pre>
+
+rationale: |-
+    The network environment should not be modified by anything other
+    than administrator action. Any change to network parameters should be
+    audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86938-8
+    cce@rhel8: CCE-86939-6
+    cce@rhel9: CCE-86940-4
+
+ocil_clause: 'the system is not configured to audit changes of the network configuration'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its network configuration,
+    run the following command:
+    <pre>auditctl -l | grep -E '/etc/sysconfig/network-scripts'</pre>
+    If the system is configured to watch for network configuration changes, a line should
+    be returned and <tt>perm=wa</tt> should be indicated.
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: /etc/sysconfig/network-scripts
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -382,9 +382,6 @@ CCE-86934-7
 CCE-86935-4
 CCE-86936-2
 CCE-86937-0
-CCE-86938-8
-CCE-86939-6
-CCE-86940-4
 CCE-86941-2
 CCE-86942-0
 CCE-86952-9

diff --git a/shared/templates/audit_rules_watch/ansible.template b/shared/templates/audit_rules_watch/ansible.template
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}
diff --git a/shared/templates/audit_rules_watch/bash.template b/shared/templates/audit_rules_watch/bash.template
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+{{{ bash_fix_audit_watch_rule("auditctl", PATH, "wa", rule_id) }}}
+{{{ bash_fix_audit_watch_rule("augenrules", PATH, "wa", rule_id) }}}
diff --git a/shared/templates/audit_rules_watch/oval.template b/shared/templates/audit_rules_watch/oval.template
@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if actions on '" ~ PATH ~ "' are configured to be audited") }}}
+
+    <criteria operator="OR">
+      <!-- Test the augenrules case -->
+      <criterion comment="audit {{{ PATH }}} augenrules" test_ref="test_{{{ rule_id }}}_augenrules" />
+      <!-- Test the auditctl case -->
+      <criterion comment="audit {{{ PATH }}} auditctl" test_ref="test_{{{ rule_id }}}_auditctl" />
+    </criteria>
+
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} augenrules" id="test_{{{ rule_id }}}_augenrules" version="1">
+    <ind:object object_ref="object_{{{ rule_id  }}}_augenrules" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id  }}}_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} auditctl" id="test_{{{ rule_id }}}_auditctl" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_auditctl" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/shared/templates/audit_rules_watch/template.py b/shared/templates/audit_rules_watch/template.py
@@ -0,0 +1,2 @@
+def preprocess(data, lang):
+    return data
diff --git a/shared/templates/audit_rules_watch/template.yml b/shared/templates/audit_rules_watch/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh b/shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa -k {{{ rule_id }}}" >> /etc/audit/audit.rules
diff --git a/.../templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh b/.../templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/audit.rules
diff --git a/shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh b/shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w {{{ PATH }}} -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/rules.d/networkconfig.rules
diff --git a/shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh b/shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/rules.d/networkconfig.rules
diff --git a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/profile_stability/rhel7/cis.profile b/tests/data/profile_stability/rhel7/cis.profile
@@ -239,6 +239,7 @@ selections:
 - ensure_gpgcheck_globally_activated
 - accounts_password_set_warn_age_existing
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - gid_passwd_group_same
 - file_groupownership_sshd_pub_key
 - audit_rules_unsuccessful_file_modification_open

diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l2.profile b/tests/data/profile_stability/rhel7/cis_workstation_l2.profile
@@ -235,6 +235,7 @@ selections:
 - ensure_gpgcheck_globally_activated
 - accounts_password_set_warn_age_existing
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - gid_passwd_group_same
 - file_groupownership_sshd_pub_key
 - audit_rules_unsuccessful_file_modification_open

diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
@@ -387,6 +387,7 @@ selections:
 - file_groupowner_backup_etc_passwd
 - sysctl_net_ipv6_conf_default_accept_source_route
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - package_audit_installed
 - accounts_password_pam_difok
 - account_disable_post_pw_expiration

diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -381,6 +381,7 @@ selections:
 - file_groupowner_backup_etc_passwd
 - sysctl_net_ipv6_conf_default_accept_source_route
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - package_audit_installed
 - accounts_password_pam_difok
 - account_disable_post_pw_expiration

diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -23,6 +23,7 @@ selections:
 - package_setroubleshoot_removed
 - audit_rules_dac_modification_lsetxattr
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - sysctl_net_ipv4_conf_default_log_martians
 - audit_rules_unsuccessful_file_modification_truncate
 - auditd_data_retention_space_left_action

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -22,6 +22,7 @@ selections:
 - file_owner_backup_etc_shadow
 - audit_rules_dac_modification_lsetxattr
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - sysctl_net_ipv4_conf_default_log_martians
 - audit_rules_unsuccessful_file_modification_truncate
 - auditd_data_retention_space_left_action