Hello folks, as noted in https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 nv_split() procedure definition, auditd when parsing / loading its configuration file content: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L279
uses nv_split() routine to check if: * the name-value pair contains only space as the only one allowed delimiter (https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L442) * if there's at least one space before and after the equal sign / character. Based on the above (only space as delimiter, at least one required before and after '=' character, no comments allowed) this patch changes the existing auditd rules touching /etc/audit/auditd.conf configuration file, so the rules wouldn't return pass in case, the configuration file would be invalid (auditd would refuse to start). For example in case the "num_logs" line would look like: ^\tnum_logs\t=\t5\t$ The proposed patch has been tested (all of the rules the change touches) on RHEL-6 and seems to be working properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: This is not an attempt underlying OVAL checks to replace auditd.conf configuration file sanity checking (since auditd will do at service start / restart anyway). But on the other hand the check should not pass (even when having expected config variable settings according to currently selected profile) when the particular line in auditd config does not meet the auditd configuration file format requirements (auditd would refuse to start in such configuration). So pre-avoid the confusion that might arise (OVAL check returning pass, but auditd refusing to start) by requiring particular lines to be in format, as accepted by auditd (space char the only delimiter, space required around '=' etc.)
From a785294ec6dfc4bc47a92aab734bfdc17cb9f19b Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Wed, 12 Mar 2014 18:53:00 +0100 Subject: [PATCH] [RHEL/6] Modify auditd.conf checking rules to: * allow only space (exactly) as delimiter (not whole \s set) * require at least one space before and after equal sign in the auditd.conf (between name and value) Signed-off-by: Jan Lieskovsky <[email protected]> --- .../checks/auditd_data_retention_action_mail_acct.xml | 10 ++++++---- .../auditd_data_retention_admin_space_left_action.xml | 14 ++++++++------ RHEL/6/input/checks/auditd_data_retention_max_log_file.xml | 12 +++++++----- .../checks/auditd_data_retention_max_log_file_action.xml | 12 +++++++----- RHEL/6/input/checks/auditd_data_retention_num_logs.xml | 12 +++++++----- .../checks/auditd_data_retention_space_left_action.xml | 12 +++++++----- 6 files changed, 42 insertions(+), 30 deletions(-) diff --git a/RHEL/6/input/checks/auditd_data_retention_action_mail_acct.xml b/RHEL/6/input/checks/auditd_data_retention_action_mail_acct.xml index 99ce48f..2669f4d 100644 --- a/RHEL/6/input/checks/auditd_data_retention_action_mail_acct.xml +++ b/RHEL/6/input/checks/auditd_data_retention_action_mail_acct.xml @@ -8,18 +8,20 @@ <description>action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account</description> </metadata> <criteria> - <criterion comment="action_mail_acct setting in auditd.conf" test_ref="test_auditd_data_retention_action_mail_acct" /> + <criterion comment="action_mail_acct setting in auditd.conf" test_ref="test_auditd_data_retention_action_mail_acct" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="email account for actions" id="test_auditd_data_retention_action_mail_acct" version="1"> <ind:object object_ref="object_auditd_data_retention_action_mail_acct" /> <ind:state state_ref="state_auditd_data_retention_action_mail_acct" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_action_mail_acct" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_action_mail_acct" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^action_mail_acct\s*=\s*(\S+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL/6/input/checks/auditd_data_retention_admin_space_left_action.xml b/RHEL/6/input/checks/auditd_data_retention_admin_space_left_action.xml index 2829104..50278fc 100644 --- a/RHEL/6/input/checks/auditd_data_retention_admin_space_left_action.xml +++ b/RHEL/6/input/checks/auditd_data_retention_admin_space_left_action.xml @@ -6,23 +6,25 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action</description> - <reference source="swells" ref_id="20130915" ref_url="test_attestation" /> + <reference source="JL" ref_id="20140312" ref_url="test_attestation" /> </metadata> - + <criteria> - <criterion comment="admin_space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_admin_space_left_action" /> + <criterion comment="admin_space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_admin_space_left_action" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="space left action" id="test_auditd_data_retention_admin_space_left_action" version="1"> <ind:object object_ref="object_auditd_data_retention_admin_space_left_action" /> <ind:state state_ref="state_auditd_data_retention_admin_space_left_action" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_admin_space_left_action" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_admin_space_left_action" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^admin_space_left_action\s*=\s*(\S+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL/6/input/checks/auditd_data_retention_max_log_file.xml b/RHEL/6/input/checks/auditd_data_retention_max_log_file.xml index 7087e7a..66b6151 100644 --- a/RHEL/6/input/checks/auditd_data_retention_max_log_file.xml +++ b/RHEL/6/input/checks/auditd_data_retention_max_log_file.xml @@ -7,21 +7,23 @@ </affected> <description>max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value</description> </metadata> - + <criteria> - <criterion comment="max_log_file setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file" /> + <criterion comment="max_log_file setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="max log file size" id="test_auditd_data_retention_max_log_file" version="1"> <ind:object object_ref="object_auditd_data_retention_max_log_file" /> <ind:state state_ref="state_auditd_data_retention_max_log_file" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_max_log_file" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_max_log_file" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^max_log_file\s*=\s*(\d+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL/6/input/checks/auditd_data_retention_max_log_file_action.xml b/RHEL/6/input/checks/auditd_data_retention_max_log_file_action.xml index aace0c4..7c305b2 100644 --- a/RHEL/6/input/checks/auditd_data_retention_max_log_file_action.xml +++ b/RHEL/6/input/checks/auditd_data_retention_max_log_file_action.xml @@ -7,21 +7,23 @@ </affected> <description>max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action</description> </metadata> - + <criteria> - <criterion comment="max_log_file_action setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file_action" /> + <criterion comment="max_log_file_action setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file_action" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="admin space left action " id="test_auditd_data_retention_max_log_file_action" version="1"> <ind:object object_ref="object_auditd_data_retention_max_log_file_action" /> <ind:state state_ref="state_auditd_data_retention_max_log_file_action" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_max_log_file_action" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_max_log_file_action" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^max_log_file_action\s*=\s*(\S+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL/6/input/checks/auditd_data_retention_num_logs.xml b/RHEL/6/input/checks/auditd_data_retention_num_logs.xml index b46e734..3fd926d 100644 --- a/RHEL/6/input/checks/auditd_data_retention_num_logs.xml +++ b/RHEL/6/input/checks/auditd_data_retention_num_logs.xml @@ -7,21 +7,23 @@ </affected> <description>num_logs setting in /etc/audit/auditd.conf is set to at least a certain value</description> </metadata> - + <criteria> - <criterion comment="num_logs setting in auditd.conf" test_ref="test_auditd_data_retention_num_logs" /> + <criterion comment="num_logs setting in auditd.conf" test_ref="test_auditd_data_retention_num_logs" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="admin space left action " id="test_auditd_data_retention_num_logs" version="1"> <ind:object object_ref="object_auditd_data_retention_num_logs" /> <ind:state state_ref="state_auditd_data_retention_num_logs" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_num_logs" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_num_logs" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^num_logs\s*=\s*(\d+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL/6/input/checks/auditd_data_retention_space_left_action.xml b/RHEL/6/input/checks/auditd_data_retention_space_left_action.xml index a83fe6b..4037c81 100644 --- a/RHEL/6/input/checks/auditd_data_retention_space_left_action.xml +++ b/RHEL/6/input/checks/auditd_data_retention_space_left_action.xml @@ -7,21 +7,23 @@ </affected> <description>space_left_action setting in /etc/audit/auditd.conf is set to a certain action</description> </metadata> - + <criteria> - <criterion comment="space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_space_left_action" /> + <criterion comment="space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_space_left_action" /> </criteria> </definition> - + <ind:textfilecontent54_test check="all" comment="space left action" id="test_auditd_data_retention_space_left_action" version="1"> <ind:object object_ref="object_auditd_data_retention_space_left_action" /> <ind:state state_ref="state_auditd_data_retention_space_left_action" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_auditd_data_retention_space_left_action" version="1"> + <ind:textfilecontent54_object id="object_auditd_data_retention_space_left_action" version="2"> <ind:filepath>/etc/audit/auditd.conf</ind:filepath> - <ind:pattern operation="pattern match">^space_left_action\s*=\s*(\S+)\s*$</ind:pattern> + <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 --> + <!-- Require at least one space before and after the equal sign --> + <ind:pattern operation="pattern match">^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
