Fixed issues (#75)

* do not run action on push * fix issues 66, 70
tom-krieger · Dec 28, 2023 · ad93db5 · ad93db5
1 parent 4a04f3e
commit ad93db5
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,10 +4,10 @@ All notable changes to this project will be documented in this file.
 
 ## Release 0.9.1
 
+* Fix for issue #66
+* Fix for issue #70
 * Updated Github action
-
 * PR #71: Replace legacy facts with modern facts
-
 * PR #72: Allow for disabling of the sticky world writable and auditd cron jobs. If you have bigger systems where cronjobs collecting file information like for world writable files or auditd privileged commands might be too time consuming you can disable the cronjobs completely. The default value for both jobs in `present`.
 
   > Please note that not running the auditd privileged commands cronjob might result in not monitoring newly installed prvileged commands.

diff --git a/manifests/rules/auditd_kernel_modules.pp b/manifests/rules/auditd_kernel_modules.pp
@@ -43,6 +43,8 @@
     }
     if $facts['os']['name'].downcase() == 'redhat' and $facts['os']['release']['major'] == '7' {
       $rule1 = "-a always,exit -S all -F path=/usr/bin/kmod -p x -F auid>=${uid} -F auid!=${auid} -k module-change"
+    } elsif $facts['os']['name'].downcase() == 'redhat' and $facts['os']['release']['major'] >= '8' {
+      $rule1 = "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${uid} -F auid!=${auid} -F key=kernel_modules"
     } elsif $facts['os']['name'].downcase() == 'debian' and $facts['os']['release']['major'] > '10' {
       $rule1 = "-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=${uid} -F auid!=${auid} -k kernel_modules"
     } else {

diff --git a/manifests/rules/auditd_user_emulation.pp b/manifests/rules/auditd_user_emulation.pp
@@ -24,14 +24,14 @@
     concat::fragment { 'watch user emulation rule 1':
       order   => '196',
       target  => $cis_security_hardening::rules::auditd_init::rules_file,
-      content => '-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation',
+      content => '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation',
     }
 
     if  $facts['os']['architecture'] == 'x86_64' or $facts['os']['architecture'] == 'amd64' {
       concat::fragment { 'watch user emulation rule 2':
         order   => '197',
         target  => $cis_security_hardening::rules::auditd_init::rules_file,
-        content => '-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation',
+        content => '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation',
       }
     }
   }

diff --git a/spec/classes/rules/auditd_kernel_modules_spec.rb b/spec/classes/rules/auditd_kernel_modules_spec.rb
@@ -54,6 +54,13 @@ class { 'cis_security_hardening::reboot':
                   'target' => '/etc/audit/rules.d/cis_security_hardening.rules',
                   'content' => "-a always,exit -S all -F path=/usr/bin/kmod -p x -F auid>=1000 -F auid!=#{auid} -k module-change",
                 )
+            elsif os_facts[:os]['name'].casecmp('redhat').zero? && os_facts[:os]['release']['major'] >= '8'
+              is_expected.to contain_concat__fragment('watch kernel modules rule 1')
+                .with(
+                  'order' => '204',
+                  'target' => '/etc/audit/rules.d/cis_security_hardening.rules',
+                  'content' => "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=#{auid} -F key=kernel_modules",
+                )
             elsif os_facts[:os]['name'].casecmp('debian').zero? && os_facts[:os]['release']['major'] > '10'
               is_expected.to contain_concat__fragment('watch kernel modules rule 1')
                 .with(

diff --git a/spec/classes/rules/auditd_user_emulation_spec.rb b/spec/classes/rules/auditd_user_emulation_spec.rb
@@ -49,15 +49,15 @@ class { 'cis_security_hardening::reboot':
               .with(
                 'order' => '196',
                 'target' => '/etc/audit/rules.d/cis_security_hardening.rules',
-                'content' => '-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation',
+                'content' => '-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation',
               )
 
             if ['x86_64', 'amd64'].include?(os_facts[:os]['architecture'])
               is_expected.to contain_concat__fragment('watch user emulation rule 2')
                 .with(
                   'order' => '197',
                   'target' => '/etc/audit/rules.d/cis_security_hardening.rules',
-                  'content' => '-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation',
+                  'content' => '-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation',
                 )
             end
           else