Skip to content

Create auditd rules#158

Open
m41kc0d3 wants to merge 2 commits intodev-sec:masterfrom
m41kc0d3:Create-auditd-rules
Open

Create auditd rules#158
m41kc0d3 wants to merge 2 commits intodev-sec:masterfrom
m41kc0d3:Create-auditd-rules

Conversation

@m41kc0d3
Copy link

@m41kc0d3 m41kc0d3 commented Jul 23, 2021

see Telekom 2021.07-01 SoC 3.65 Req32-37
Public Telekom Security - Requirements

m41kc0d3 added 2 commits July 23, 2021 12:14
@m41kc0d3
Add Check for auditd rules
8cf95c2 
and add NOTICE file for code reuse

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
@m41kc0d3
Fix syntax of auditd checks
92a6c85 
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
schurzi
schurzi requested changes Jul 26, 2021
View reviewed changes
Copy link
Contributor

@schurzi schurzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be very beneficial to split this one control into multiple separate controlls.
A good approach for this may be CIS DIL Benchmark, this way we could get meaningful descriptions, explaining the wy and what, and also reference the IDs there for further reading.

controls/os_spec.rb
its(:stdout) { should match '-w /var/log/audit/audit.log' }
its(:stdout) { should match '-w /etc/hosts -p wa -k system-locale' }
its(:stdout) { should match '-w /etc/ssh/sshd_config' }
if os.redhat? || os.name == 'amazon' || os.name == 'fedora'
Copy link
Contributor

@schurzi schurzi Jul 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please change this to use only_if, like

linux-baseline/controls/os_spec.rb

Lines 153 to 167 in 91a0aa9

control 'os-05b' do
impact 1.0
title 'Check login.defs - RedHat specific'
desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'
describe file('/etc/login.defs') do
it { should_not be_writable }
end
describe login_defs do
its('SYS_UID_MIN') { should eq '201' }
its('SYS_UID_MAX') { should eq '999' }
its('SYS_GID_MIN') { should eq '201' }
its('SYS_GID_MAX') { should eq '999' }
end
only_if { os.redhat? }
end

controls/os_spec.rb
end
end

control 'os-15' do
Copy link
Contributor

@schurzi schurzi Jul 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think audit is large enough to start an extra file for all the checks and maybe split this up a bit to give it usefull names and descriptions.

@m41kc0d3
Copy link
Author

m41kc0d3 commented Jul 27, 2021

Hi schurzi,
I see there is already an Inspec definition in an other repo in this project. https://github.com/dev-sec/cis-dil-benchmark/blob/master/controls/4_1_configure_system_accounting_auditd.rb

Should I copy them to a new file in this repo an change the the tests to the things I configure in dev-sec/ansible-collection-hardening#468 ?
Or is this a little to much tests?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schurzi schurzi schurzi requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@m41kc0d3 @schurzi