Skip to content

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share#13273

Merged
vojtapolasek merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:mac_modification_usr_share
Apr 2, 2025
Merged

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share#13273
vojtapolasek merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:mac_modification_usr_share

Conversation

@jan-cerny
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny commented Apr 2, 2025
edited
Loading

This commit changes rule audit_rules_mac_modification_usr_share. It will use the audit_rules_watch template instead of static checks and remediations. The advantage is reducing code duplication. As a result, the rule will support modern style audit watches on RHEL 10.

The change in the templated OVAL prevents collisions with other rules that use the audit_rules_watch template and have "selinux" as a basename part of the path parameter.

Fixes OPENSCAP-4926

@jan-cerny jan-cerny added Update Rule Issues or pull requests related to Rules updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Apr 2, 2025
@jan-cerny jan-cerny added this to the 0.1.77 milestone Apr 2, 2025
@jan-cerny
Use template in audit_rules_mac_modification_usr_share
3327d85 
This commit changes rule audit_rules_mac_modification_usr_share.
It will use the audit_rules_watch template instead of static
checks and remediations. The advantage is reducing code duplication.
As a result, the rule will support modern style audit watches on
RHEL 10.
@jan-cerny jan-cerny force-pushed the mac_modification_usr_share branch from bdf0335 to 3327d85 Compare April 2, 2025 07:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 2, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share'.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -3,14 +3,17 @@
 Record Events that Modify the System's Mandatory Access Controls in usr/share
 
 [description]:
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+following lines to a file with suffix .rules in the
 directory /etc/audit/rules.d:
+
 -w /usr/share/selinux/ -p wa -k MAC-policy
+
 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules:
+
 -w /usr/share/selinux/ -p wa -k MAC-policy
 
 [reference]:

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- oval:ssg-audit_rules_mac_modification_usr_share:def:1
+++ oval:ssg-audit_rules_mac_modification_usr_share:def:1
@@ -1,7 +1,7 @@
 criteria OR
 criteria AND
 extend_definition oval:ssg-audit_rules_augenrules:def:1
-criterion oval:ssg-test_armm_selinux_watch_augenrules_usr_share:tst:1
+criterion oval:ssg-test_audit_rules_mac_modification_usr_share_augenrules:tst:1
 criteria AND
 extend_definition oval:ssg-audit_rules_auditctl:def:1
-criterion oval:ssg-test_armm_selinux_watch_auditctl_usr_share:tst:1
+criterion oval:ssg-test_audit_rules_mac_modification_usr_share_auditctl:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -2,6 +2,12 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+
+
+
+
+
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
 #

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -12,7 +12,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -36,7 +36,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -62,7 +62,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -86,7 +86,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -110,7 +110,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -136,7 +136,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -160,7 +160,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -187,5 +187,5 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Apr 2, 2025

Code Climate has analyzed commit 3327d85 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny changed the title Use template in audit_rules_mac_modification_usr_share OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share Apr 2, 2025
@vojtapolasek vojtapolasek self-assigned this Apr 2, 2025
vojtapolasek
vojtapolasek approved these changes Apr 2, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you. I tested locally with automatus and tests pass.

@vojtapolasek vojtapolasek merged commit 78b94b8 into ComplianceAsCode:master Apr 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels

RHEL10 Red Hat Enterprise Linux 10 product related. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.77

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @vojtapolasek