Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update audit_file_deletion_events group for RHEL 10 #13179

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update audit_file_deletion_events group for RHEL 10 #13179

wants to merge 2 commits into from
+195 −46

Conversation

jan-cerny
Copy link
Collaborator

Description:

This PR will update the audit_file_deletion_events group and rules in it for RHEL 10.

Update descriptions with 64bit architecture

If you have 64 bit architecture you need to have 2 lines in the audit rules - one for b32 and second for b64.
The checks and remediations already do that, so we need to align the rule description.

Add renameat2 syscall to audit rules

The audit_file_deletion_events rule checks for the renameat syscall. However, there is a similar syscall renameat2 which
should be checked as well. We don't have a rule for it so in this commit we will create a new rule and add renameat2 syscall everywhere where renameat syscall is used.

Rationale:

Incorporate changes in RHEL 10 as identified by RHEL 10 component maintainers.

Review Hints:

@jan-cerny
Update descriptions with 64bit architecture
31c5783 
If you have 64 bit architecture you need to have 2 lines
in the audit rules - one for b32 and second for b64.
The checks and remediations already do that, so we need
to align the rule description.
@jan-cerny
Add renameat2 syscall to audit rules
9c34ccc 
The audit_file_deletion_events rule checks for the `renameat`
syscall. However, there is a similar syscall `renameat2` which
should be checked as well. We don't have a rule for it so in
this commit we will create a new rule and add `renameat2` syscall
everywhere where `renameat` syscall is used.
@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Mar 14, 2025
@jan-cerny jan-cerny added this to the 0.1.77 milestone Mar 14, 2025
@jan-cerny jan-cerny requested review from a team as code owners March 14, 2025 12:27
@Mab879 Mab879 self-assigned this Mar 14, 2025
@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
@@ -7,20 +7,20 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
+-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
+-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat2 -S renameat -F auid>=1000 -F auid!=unset -F key=delete
 
 [warning]:
 This rule checks for multiple syscalls related to file deletion;
 it was written with DISA STIG in mind. Other policies should use a
 separate rule for each syscall that needs to be checked. For example:
-audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat
+audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkataudit_rules_file_deletion_events_renameaudit_rules_file_deletion_events_renameataudit_rules_file_deletion_events_renameat2
 
 [reference]:
 1

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events' differs.
--- oval:ssg-audit_rules_file_deletion_events:def:1
+++ oval:ssg-audit_rules_file_deletion_events:def:1
@@ -4,3 +4,4 @@
 extend_definition oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
 extend_definition oval:ssg-audit_rules_file_deletion_events_rename:def:1
 extend_definition oval:ssg-audit_rules_file_deletion_events_renameat:def:1
+extend_definition oval:ssg-audit_rules_file_deletion_events_renameat2:def:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events' differs.
--- ocil:ssg-audit_rules_file_deletion_events_ocil:questionnaire:1
+++ ocil:ssg-audit_rules_file_deletion_events_ocil:questionnaire:1
@@ -18,5 +18,9 @@
 renameat system call, run the following command:
 $ sudo grep "renameat" /etc/audit/audit.*
 If the system is configured to audit this activity, it will return a line.
+To determine if the system is configured to audit calls to the
+renameat2 system call, run the following command:
+$ sudo grep "renameat2" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line.
       Is it the case that no line is returned?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
@@ -10,9 +10,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="rmdir unlink unlinkat rename renameat"
+	SYSCALL="rmdir unlink unlinkat rename renameat renameat2"
 	KEY="delete"
-	SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat"
+	SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat renameat2"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -7,13 +7,13 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -12,7 +12,7 @@
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="rename"
 	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat renameat2 rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -58,6 +58,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rename in /etc/audit/rules.d/
@@ -136,6 +137,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rename in /etc/audit/audit.rules
@@ -212,6 +214,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rename in /etc/audit/rules.d/
@@ -290,6 +293,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rename in /etc/audit/audit.rules

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -7,13 +7,13 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -12,7 +12,7 @@
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="renameat"
 	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat renameat2 rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -57,6 +57,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of renameat in /etc/audit/rules.d/
@@ -135,6 +136,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of renameat in /etc/audit/audit.rules
@@ -210,6 +212,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of renameat in /etc/audit/rules.d/
@@ -288,6 +291,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of renameat in /etc/audit/audit.rules

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -7,13 +7,13 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -12,7 +12,7 @@
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="rmdir"
 	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat renameat2 rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -58,6 +58,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rmdir in /etc/audit/rules.d/
@@ -136,6 +137,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rmdir in /etc/audit/audit.rules
@@ -212,6 +214,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rmdir in /etc/audit/rules.d/
@@ -290,6 +293,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of rmdir in /etc/audit/audit.rules

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -7,13 +7,13 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -12,7 +12,7 @@
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="unlink"
 	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat renameat2 rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -58,6 +58,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlink in /etc/audit/rules.d/
@@ -136,6 +137,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlink in /etc/audit/audit.rules
@@ -212,6 +214,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlink in /etc/audit/rules.d/
@@ -290,6 +293,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlink in /etc/audit/audit.rules

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -7,13 +7,13 @@
 for all users and root. If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
+directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
+/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
+system, or having two lines for both b32 and b64 in case your system is 64-bit:
 -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
 
 [reference]:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -12,7 +12,7 @@
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	SYSCALL="unlinkat"
 	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat renameat2 rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -57,6 +57,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlinkat in /etc/audit/rules.d/
@@ -135,6 +136,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlinkat in /etc/audit/audit.rules
@@ -210,6 +212,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlinkat in /etc/audit/rules.d/
@@ -288,6 +291,7 @@
       - unlinkat
       - rename
       - renameat
+      - renameat2
       - rmdir
 
   - name: Check existence of unlinkat in /etc/audit/audit.rules

@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 14, 2025

Code Climate has analyzed commit 9c34ccc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

Mab879
Mab879 approved these changes Mar 14, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will wait a few days for other distros to approve as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

@Mab879 Mab879

Labels
New Rule Issues or pull requests related to new Rules. RHEL10 Red Hat Enterprise Linux 10 product related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.77
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @Mab879