OPENSCAP-4948 - Use modern audit watches in audit_rules_session_events by jan-cerny · Pull Request #13262 · ComplianceAsCode/content

jan-cerny · 2025-04-01T12:21:11Z

This updates the rule audit_rules_session_events to check and remediate the modern style audit watches on RHEL 10. Also reduce code duplication in OVAL and update test scenarios.
Fixes OPENSCAP-4948

github-actions · 2025-04-01T12:26:47Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -386,21 +386,6 @@
 [reference]:
 SRG-APP-000505-CTR-001285
 
-[reference]:
-R73
-
-[reference]:
-5.2.3.11
-
-[reference]:
-10.2.1.3
-
-[reference]:
-10.2.1
-
-[reference]:
-10.2
-
 [rationale]:
 Manual editing of these files may indicate nefarious activity, such
 as an attacker attempting to remove evidence of an intrusion.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -9,9 +9,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -37,9 +34,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -67,9 +61,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -95,9 +86,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -123,9 +111,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -153,9 +138,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -181,9 +163,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -212,9 +191,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -240,9 +216,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -270,9 +243,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -298,9 +268,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -326,9 +293,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -356,9 +320,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -384,9 +345,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -415,9 +373,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -443,9 +398,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -473,9 +425,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -501,9 +450,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -529,9 +475,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -559,9 +502,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -587,9 +527,6 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
   - audit_rules_session_events
   - low_complexity
   - low_disruption
@@ -618,12 +555,9 @@
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.3
-  - PCI-DSSv4-10.2
-  - PCI-DSSv4-10.2.1
-  - PCI-DSSv4-10.2.1.3
-  - audit_rules_session_events
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
+  - audit_rules_session_events
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy

jan-cerny · 2025-04-02T07:33:02Z

/packit build

vojtapolasek · 2025-04-02T14:44:56Z

@jan-cerny although the technical solution of the problem is nice, I am wondering... wouldn't it be actually better to create brand new rules in this case?
I think you could use audit_rules_watch template. In general, I think the prefered approach is to decompose these rules into smaller discrete parts if possible and I don't see anything preventing it.

jan-cerny · 2025-04-03T07:53:09Z

@vojtapolasek Do you mean to create separate rules for each of the files (/var/run/utmp, /var/log/btmp, /var/log/wtmp)? They already exist. We have rules audit_rules_session_events_btmp, audit_rules_session_events_utmp, audit_rules_session_events_wtmp. They already use the audit_rules_watch template, which means they already support the modern style of watches.

vojtapolasek · 2025-04-03T08:25:23Z

I see. Then I suggest rather using these rules in case of rhel10 product than enhancing the monolithic rule. I believe this will ease maintenance in the future.

jan-cerny · 2025-04-03T14:42:49Z

I have changed to use more specific individual rules in RHEL profiles.

Mab879 · 2025-04-03T18:59:21Z

@vojtapolasek Assign this PR to you since you requested some changes.

vojtapolasek · 2025-04-04T11:45:25Z

Hello @jan-cerny that's what I was suggesting. But I noticed that these specific rules do not have remediations available for RHEL.
I stil think that it is better for our future selves to rather improve these smaller and more targeted rules than to modify remediations and checks of those big rules. What do you think?

jan-cerny · 2025-04-07T12:46:03Z

@vojtapolasek Yes, I agree. I have removed them now.

vojtapolasek · 2025-04-07T15:05:09Z

Looks good @jan-cerny . Do you intend to keep the commit 2250bd9 ? I would drop it in context of previous discussion.

The rule audit_rules_session_events combines checking for multiple audit rules in a single XCCDF rule. The rule is too complex and convoluted. Instead, we can use more granular rules audit_rules_session_events_utmp, audit_rules_session_events_btmp and audit_rules_session_events_wtmp. These rules are templated and they support modern style watches.

The remediations and test are now covered by the templated code in the audit_rules_watch template, therefore, we will remove the static code from rules audit_rules_session_events_btmp, audit_rules_session_events_utmp, audit_rules_session_events_wtmp.

jan-cerny · 2025-04-08T08:43:54Z

I have removed that commit now. I have rebased this PR on the top of the latest upstream master branch.

jan-cerny · 2025-04-08T12:59:38Z

I have add missing HIPAA reference.

qlty-cloud-legacy · 2025-04-08T13:28:55Z

Code Climate has analyzed commit 1034610 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

vojtapolasek

Looks good now. I tested all rules through Automatus locally, as I believe gating tests will not test them properly because of combination of Audit and containers.

jan-cerny added Update Rule Issues or pull requests related to Rules updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Apr 1, 2025

jan-cerny added this to the 0.1.77 milestone Apr 1, 2025

jan-cerny changed the title ~~Use modern audit watches in audit_rules_session_events~~ OPENSCAP-4948 - Use modern audit watches in audit_rules_session_events Apr 2, 2025

jan-cerny requested a review from a team as a code owner April 3, 2025 14:41

Mab879 assigned Mab879 and vojtapolasek and unassigned Mab879 Apr 3, 2025

jan-cerny added 2 commits April 8, 2025 10:33

Remove static content from rules

ed88af6

The remediations and test are now covered by the templated code in the audit_rules_watch template, therefore, we will remove the static code from rules audit_rules_session_events_btmp, audit_rules_session_events_utmp, audit_rules_session_events_wtmp.

jan-cerny force-pushed the arse branch from 0dd5a9c to ed88af6 Compare April 8, 2025 08:43

Add missing HIPAA references

1034610

vojtapolasek approved these changes Apr 9, 2025

View reviewed changes

vojtapolasek merged commit ba38666 into ComplianceAsCode:master Apr 9, 2025
107 of 114 checks passed

Conversation

jan-cerny commented Apr 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jan-cerny commented Apr 2, 2025

Uh oh!

vojtapolasek commented Apr 2, 2025

Uh oh!

jan-cerny commented Apr 3, 2025

Uh oh!

vojtapolasek commented Apr 3, 2025

Uh oh!

jan-cerny commented Apr 3, 2025

Uh oh!

Mab879 commented Apr 3, 2025

Uh oh!

vojtapolasek commented Apr 4, 2025

Uh oh!

jan-cerny commented Apr 7, 2025

Uh oh!

vojtapolasek commented Apr 7, 2025

Uh oh!

jan-cerny commented Apr 8, 2025

Uh oh!

jan-cerny commented Apr 8, 2025

Uh oh!

qlty-cloud-legacy Bot commented Apr 8, 2025

Uh oh!

vojtapolasek left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jan-cerny commented Apr 1, 2025 •

edited

Loading

github-actions Bot commented Apr 1, 2025 •

edited

Loading