Merge pull request #12359 from vojtapolasek/fix_audit_rhel10

Fix Audit related rules in RHEL 10

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh → linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/auditctl_syscalls_multiple_per_arg.pass.sh

@@ -2,8 +2,7 @@
 # packages = audit
 # remediation = bash
 
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh → linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/auditctl_syscalls_one_per_arg.pass.sh

@@ -2,8 +2,7 @@
 # packages = audit
 # remediation = bash
 
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh → linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/auditctl_syscalls_one_per_line.pass.sh

@@ -2,11 +2,9 @@
 # packages = audit
 # remediation = bash
 
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 
 # Delete everything that is not between "one per line" and "multiple per arg"
 sed '/# one per line/,/# multiple per arg/!d' test_audit.rules > /etc/audit/audit.rules
-

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/augenrules_syscalls_multiple_per_arg.pass.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = audit
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+
+# Deletes everything up do "one per line"
+# Then deletes everything from "one per arg" until end of file
+sed '/# one per line/,/# multiple per arg/d;/# one per arg/,$d' test_audit.rules > /etc/audit/rules.d/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/augenrules_syscalls_one_per_arg.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = audit
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+
+# Delete everything that is between "one per line" and "one per arg"
+sed '/# one per line/,/# one per arg/d' test_audit.rules > /etc/audit/rules.d/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/augenrules_syscalls_one_per_line.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = audit
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+
+# Delete everything that is not between "one per line" and "multiple per arg"
+sed '/# one per line/,/# multiple per arg/!d' test_audit.rules > /etc/audit/rules.d/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 # packages = audit
 
-
-# Use auditctl, on RHEL7, default is to use augenrules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh

@@ -2,5 +2,7 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/log/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh

@@ -2,5 +2,7 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/log/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct_extra_permission.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct_extra_permission.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh

@@ -2,5 +2,7 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/log/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct_without_key.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_correct_without_key.pass.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh

@@ -2,4 +2,6 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 . $SHARED/audit_rules_login_events/auditctl_remove_all_rules.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_remove_all_rules.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh

@@ -2,5 +2,7 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/log/faillock"
 . $SHARED/audit_rules_login_events/auditctl_wrong_rule.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_wrong_rule.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh

@@ -2,5 +2,7 @@
 # packages = audit
 # platform = multi_platform_all
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/log/faillock"
 . $SHARED/audit_rules_login_events/auditctl_wrong_rule_without_key.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh

@@ -3,5 +3,7 @@
 # platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_cis
 
+{{{ setup_auditctl_environment() }}}
+
 path="/var/run/faillock"
 . $SHARED/audit_rules_login_events/auditctl_wrong_rule_without_key.fail.sh

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh

@@ -2,4 +2,4 @@
 # packages = audit
 # platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8
 
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh

@@ -2,6 +2,7 @@
 # packages = audit
 # platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8
 
+{{{ setup_auditctl_environment() }}}
+
 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules
 sed -i '/newgrp/d' /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh

@@ -2,5 +2,6 @@
 # packages = audit
 # platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8
 
+{{{ setup_auditctl_environment() }}}
+
 echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh

@@ -2,5 +2,6 @@
 # packages = audit
 # platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8
 
+{{{ setup_auditctl_environment() }}}
+
 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh

@@ -2,6 +2,7 @@
 # packages = audit
 # platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8
 
+{{{ setup_auditctl_environment() }}}
+
 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules
 sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditclt_modprobe_correct.pass.sh → linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditctl_modprobe_correct.pass.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_auditctl_environment() }}}
+
 echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditctl_modprobe_correct_without_key.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ setup_auditctl_environment() }}}
+
+echo "-w /sbin/modprobe -p x" >> /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditctl_modprobe_remove_all_rules.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_auditctl_environment() }}}
+
 rm -f /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditclt_modprobe_wrong_rule.fail.sh → linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/tests/auditctl_modprobe_wrong_rule.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_auditctl_environment() }}}
+
 echo "-w /sbin/something -p x -k modules" >> /etc/audit/audit.rules
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-e 2" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "some value" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh

@@ -2,7 +2,7 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-e 1" > /etc/audit/audit.rules
 

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /etc/selinux/ -p wa" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "some value" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh

@@ -2,7 +2,7 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules
 

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct.pass.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /usr/share/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_correct_without_key.pass.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /usr/share/selinux/ -p wa" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_missing.fail.sh

@@ -2,6 +2,6 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "some value" > /etc/audit/audit.rules

linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/tests/auditctl_wrong_value.fail.sh

@@ -2,7 +2,7 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules
 

linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh

@@ -3,7 +3,7 @@
 
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 
 rm -rf /etc/audit/rules.d/*

linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh

@@ -3,7 +3,7 @@
 
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 
 rm -rf /etc/audit/rules.d/*

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh

@@ -2,7 +2,7 @@
 # packages = audit
 
 # use auditctl
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+{{{ setup_auditctl_environment() }}}
 
 rm -rf /etc/audit/rules.d/*
 rm /etc/audit/audit.rules