Merge pull request #14367 from Arden97/auditd_var_lib_selinux

Add audit monitoring for SELinux policy changes in /var/lib/selinux

Author: jan-cerny

components/audit.yml

@@ -131,6 +131,7 @@ rules:
 - audit_rules_mac_modification_etc_apparmor_d
 - audit_rules_mac_modification_etc_selinux
 - audit_rules_mac_modification_usr_share
+- audit_rules_mac_modification_var_lib_selinux
 - audit_rules_media_export
 - audit_rules_networkconfig_modification
 - audit_rules_networkconfig_modification_etc_hosts

controls/cis_fedora.yml

@@ -2957,6 +2957,7 @@ controls:
       rules:
           - audit_rules_mac_modification_etc_selinux
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
 
     - id: 6.3.3.24
       title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml

@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux'
+
+description: |-
+    {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}}
+    Note that monitoring /var/lib/selinux/ will generate a significant burst of audit events
+    during both selinux-policy* package upgrade and policy rebuild.
+
+rationale: |-
+    The system's mandatory access policy (SELinux) should not be
+    arbitrarily changed by anything other than administrator action. All changes to
+    MAC policy should be audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86459-5
+    cce@rhel9: CCE-86461-1
+    cce@rhel10: CCE-86465-2
+
+ocil_clause: 'the system is not configured to audit attempts to change the MAC policy'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its SELinux
+    configuration files, run the following command:
+    <pre>$ sudo auditctl -l | grep "dir=/var/lib/selinux"</pre>
+    If the system is configured to watch for changes to its SELinux
+    configuration, a line should be returned (including
+    <tt>perm=wa</tt> indicating permissions that are watched).
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: "/var/lib/selinux/"
+        key: MAC-policy

shared/checks/oval/audit_rules_auditctl.xml

@@ -18,7 +18,7 @@
     <ind:object object_ref="object_audit_rules_auditctl" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_audit_rules_auditctl" version="1">
-{{% if product in ['rhel10', 'ol10'] %}}
+{{% if product in ['fedora', 'rhel10', 'ol10'] %}}
     <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
     <ind:pattern operation="pattern match">^ExecStart=\/sbin\/auditctl.*$</ind:pattern>
   {{% else %}}

shared/checks/oval/audit_rules_augenrules.xml

@@ -18,7 +18,7 @@
     <ind:object object_ref="object_audit_rules_augenrules" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_audit_rules_augenrules" version="1">
-  {{% if product in ['rhel10', 'ol10']  %}}
+  {{% if product in ['fedora', 'rhel10', 'ol10']  %}}
     <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
     <ind:pattern operation="pattern match">^ExecStart=(\/usr|)?\/sbin\/augenrules.*$</ind:pattern>
   {{% else %}}

shared/macros/20-test-scenarios.jinja

@@ -15,6 +15,23 @@ This macro changes the configuration of the audit service so that it looks like
 {{%- endmacro -%}}
 
 
+{{#
+This macro changes the configuration of the audit service so that it looks like augenrules is used to load rules.
+#}}
+
+{{%- macro setup_augenrules_environment () -%}}
+  {{% if product in ["fedora", "ol10", "rhel10"] %}}
+  sed -i "s%^ExecStart=.*%ExecStart=/sbin/augenrules%" /usr/lib/systemd/system/audit-rules.service
+  {{% else %}}
+  {{% if product == "sle15" %}}
+  sed -i "s%^#ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+  {{% else %}}
+  sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+  {{% endif %}}
+  {{% endif %}}
+{{%- endmacro -%}}
+
+
 {{#
 This macro is used by pam_account_password_faillock template to initialize
 the external variable and parameter value to a desired state.

shared/references/cce-redhat-avail.txt

@@ -1,6 +1,3 @@
-CCE-86459-5
-CCE-86461-1
-CCE-86465-2
 CCE-86466-0
 CCE-86468-6
 CCE-86469-4

shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}