Merge pull request #13786 from teacup-on-rockingchair/audit_binaries_file_perm

Use platform specific audit binaries

Author: vojtapolasek

linux_os/guide/auditing/file_permissions_auditd/file_groupownership_audit_binaries/rule.yml

@@ -8,18 +8,10 @@ description: |-
     ownership configured to protected against unauthorized access.
 
     Verify it by running the following command:
-    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
-
-    /sbin/auditctl root
-    /sbin/aureport root
-    /sbin/ausearch root
-    {{% if product not in ["rhel10"] %}}/sbin/autrace root{{% endif %}}
-    /sbin/auditd root
-    {{% if 'rhel' not in product %}}/sbin/audispd root{{% endif %}}
-    /sbin/augenrules root
-    {{%- if 'rhel' in product %}}
-    /sbin/audisp-syslog root
-    {{%- endif %}}
+    <pre>$ stat -c "%n %G" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} root
+    {{% endfor %}}
     </pre>
 
     Audit tools needed to successfully view and manipulate audit information
@@ -48,16 +40,10 @@ references:
 
 ocil: |-
     Verify it by running the following command:
-    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/audisp-syslog
-
-    /sbin/auditctl root
-    /sbin/aureport root
-    /sbin/ausearch root
-    {{% if product not in ["rhel10"] %}}/sbin/autrace root{{% endif %}}
-    /sbin/auditd root
-    {{% if 'rhel' not in product %}}/sbin/audispd root{{% endif %}}
-    /sbin/augenrules root
-    {{% if 'rhel' in product %}}/sbin/audisp-syslog root{{% endif %}}
+    <pre>$ stat -c "%n %G" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} root
+    {{% endfor %}}
     </pre>
 
     If the command does not return all the above lines, the missing ones
@@ -72,13 +58,5 @@ ocil: |-
 template:
     name: file_groupowner
     vars:
-        filepath:
-            - /sbin/auditctl
-            - /sbin/aureport
-            - /sbin/ausearch
-            {{% if product not in ["rhel10"] %}}- /sbin/autrace{{% endif %}}
-            - /sbin/auditd
-            {{% if 'rhel' not in product and 'ubuntu' not in product %}}- /sbin/audispd{{% endif %}}
-            - /sbin/augenrules
-            {{% if 'rhel' in product %}}- /sbin/audisp-syslog{{% endif %}}
+        filepath: {{{ audit_binaries }}}
         gid_or_name: '0'

linux_os/guide/auditing/file_permissions_auditd/file_ownership_audit_binaries/rule.yml

@@ -8,16 +8,10 @@ description: |-
     ownership configured to protected against unauthorized access.
 
     Verify it by running the following command:
-    <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/audisp-syslog
-
-    /sbin/auditctl root
-    /sbin/aureport root
-    /sbin/ausearch root
-    {{% if product not in ["rhel10"] %}}/sbin/autrace root{{% endif %}}
-    /sbin/auditd root
-    {{% if 'rhel' not in product %}}/sbin/audispd root{{% endif %}}
-    /sbin/augenrules root
-    {{% if 'rhel' in product %}}/sbin/audisp-syslog root{{% endif %}}
+    <pre>$ stat -c "%n %U" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} root
+    {{% endfor %}}
     </pre>
 
     Audit tools needed to successfully view and manipulate audit information
@@ -46,17 +40,11 @@ references:
 
 ocil: |-
     Verify it by running the following command:
-    <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
-
-    /sbin/auditctl root
-    /sbin/aureport root
-    /sbin/ausearch root
-    {{% if product not in ["rhel10"] %}}/sbin/autrace root{{% endif %}}
-    /sbin/auditd root
-    {{% if 'rhel' not in product %}}/sbin/audispd root{{% endif %}}
-    /sbin/augenrules root
+    <pre>$ stat -c "%n %U" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} root
+    {{% endfor %}}
     </pre>
-
     If the command does not return all the above lines, the missing ones
     need to be added.
 
@@ -69,13 +57,5 @@ ocil: |-
 template:
     name: file_owner
     vars:
-        filepath:
-            - /sbin/auditctl
-            - /sbin/aureport
-            - /sbin/ausearch
-            {{% if product not in ["rhel10"] %}}- /sbin/autrace{{% endif %}}
-            - /sbin/auditd
-            {{% if 'rhel' not in product %}}- /sbin/audispd{{% endif %}}
-            - /sbin/augenrules
-            {{% if 'rhel' in product %}}- /sbin/audisp-syslog{{% endif %}}
+        filepath: {{{ audit_binaries }}}
         uid_or_name: '0'

linux_os/guide/auditing/file_permissions_auditd/file_permissions_audit_binaries/rule.yml

@@ -8,22 +8,10 @@ description: |-
     permissions configured to protected against unauthorized access.
 
     Verify it by running the following command:
-    <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
-
-    /sbin/auditctl 755
-    /sbin/aureport 755
-    /sbin/ausearch 755
-    {{%- if product not in ["rhel10"] %}}
-    /sbin/autrace 755
-    {{%- endif %}}
-    /sbin/auditd 755
-    {{%- if 'rhel' not in product %}}
-    /sbin/audispd 755
-    {{%- endif %}}
-    /sbin/augenrules 755
-    {{%- if 'rhel' in product %}}
-    /sbin/audisp-syslog 755
-    {{%- endif %}}
+    <pre>$ stat -c "%n %a" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} 755
+    {{% endfor %}}
     </pre>
 
     Audit tools needed to successfully view and manipulate audit information
@@ -52,17 +40,11 @@ references:
 
 ocil: |-
     Verify it by running the following command:
-    <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
-
-    /sbin/auditctl 755
-    /sbin/aureport 755
-    /sbin/ausearch 755
-    {{% if product not in ["rhel10"] %}}/sbin/autrace 755{{% endif %}}
-    /sbin/auditd 755
-    {{% if 'rhel' not in product %}}/sbin/audispd 755{{% endif %}}
-    /sbin/augenrules 755
+    <pre>$ stat -c "%n %a" {{{ audit_binaries | join(" ")}}}
+    {{% for binary in audit_binaries %}}
+    {{{ binary }}} 755
+    {{% endfor %}}
     </pre>
-
     If the command does not return all the above lines, the missing ones
     need to be added.
 
@@ -76,13 +58,5 @@ ocil: |-
 template:
     name: file_permissions
     vars:
-        filepath:
-            - /sbin/auditctl
-            - /sbin/aureport
-            - /sbin/ausearch
-            {{% if product not in ["rhel10"] %}}- /sbin/autrace{{% endif %}}
-            - /sbin/auditd
-            {{% if 'rhel' not in product %}}- /sbin/audispd{{% endif %}}
-            - /sbin/augenrules
-            {{% if 'rhel' in product %}}- /sbin/audisp-syslog{{% endif %}}
+        filepath: {{{ audit_binaries }}}
         filemode: '0755'

product_properties/10-audit-binaries.yml

@@ -0,0 +1,27 @@
+default:
+  audit_binaries:
+    - /sbin/auditctl
+    - /sbin/aureport
+    - /sbin/ausearch
+    {{% if product not in ["rhel10"] %}}
+    - /sbin/autrace
+    {{% endif %}}
+    - /sbin/auditd
+    {{% if 'rhel' not in product and 'ubuntu' not in product and 'ol' not in product %}}
+    - /sbin/audispd
+    {{% endif %}}
+    - /sbin/augenrules
+    {{% if 'rhel' in product %}}
+    - /sbin/audisp-syslog
+    {{% endif %}}
+overrides:
+{{% if product == 'sle15' %}}
+  audit_binaries:
+    - /usr/sbin/auditctl
+    - /usr/sbin/aureport
+    - /usr/sbin/ausearch
+    - /usr/sbin/autrace
+    - /usr/sbin/auditd
+    - /usr/sbin/augenrules
+    - /usr/sbin/audisp-syslog
+{{% endif %}}

tests/data/product_stability/alinux2.yml

@@ -3,6 +3,14 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/audispd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

tests/data/product_stability/alinux3.yml

@@ -3,6 +3,14 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/audispd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

tests/data/product_stability/anolis23.yml

@@ -3,6 +3,13 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

tests/data/product_stability/anolis8.yml

@@ -3,6 +3,13 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

tests/data/product_stability/chromium.yml

@@ -3,6 +3,14 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/audispd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true

tests/data/product_stability/debian11.yml

@@ -3,6 +3,14 @@ aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide.conf
 audisp_conf_path: /etc/audit
+audit_binaries:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/audispd
+  - /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true