ComplianceAsCode · vojtapolasek · May 13, 2021 · Apr 30, 2021 · May 7, 2021
diff --git a/...les/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml b/...les/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml
@@ -0,0 +1,42 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Service facts
+  service_facts:
+
+- name: Check the rules script being used
+  command:
+    grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+  register: check_rules_scripts_result
+
+- name: Update modprobe in /etc/audit/rules.d/audit.rules
+  lineinfile:
+    path: /etc/audit/rules.d/audit.rules
+    line: '-w /sbin/modprobe -p x -k modules'
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"augenrules" in check_rules_scripts_result.stdout'
+  register: augenrules_audit_rules_modprobe_update_result
+
+- name: Update modprobe in /etc/audit/audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /sbin/modprobe -p x -k modules'
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"auditctl" in check_rules_scripts_result.stdout'
+  register: auditctl_audit_rules_modprobe_update_result
+
+- name: Restart auditd.service
+  systemd:
+    name: auditd.service
+    state: restarted
+  when:
+    - (augenrules_audit_rules_modprobe_update_result.changed or
+       auditctl_audit_rules_modprobe_update_result.changed)
+    - ansible_facts.services["auditd.service"].state == "running"
diff --git a/..._rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/oval/shared.xml b/..._rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/oval/shared.xml
@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_privileged_commands_modprobe" version="1">
+    {{{ oval_metadata("Ensure audit rule for all uses of the modeprobe command is enabled.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules modprobe" test_ref="test_modprobe_augenrules" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl modprobe" test_ref="test_modprobe_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules modprobe" id="test_modprobe_augenrules" version="1">
+    <ind:object object_ref="object_modprobe_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_modprobe_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl modprobe" id="test_modprobe_auditctl" version="1">
+    <ind:object object_ref="object_modprobe_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_modprobe_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/sbin/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe'
+
+description: |-
+    At a minimum, the audit system should collect the execution of
+    privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+    configured to use the <tt>augenrules</tt> program to read audit rules during
+    daemon startup (the default), add a line of the following form to a file with
+    suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /sbin/modprobe -p x -k modules</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add a line of the following
+    form to <tt>/etc/audit/audit.rules</tt>:
+    <pre>-w /sbin/modprobe -p x -k modules</pre>
+
+rationale: |-
+    Misuse of privileged functions, either intentionally or unintentionally by
+    authorized users, or by unauthorized external entities that have compromised system accounts,
+    is a serious and ongoing concern and can have significant adverse impacts on organizations.
+    Auditing the use of privileged functions is one way to detect such misuse and identify
+    the risk from insider and advanced persistent threats.
+    <br /><br />
+    Privileged programs are subject to escalation-of-privilege attacks,
+    which attempt to subvert their normal role of providing some necessary but
+    limited capability. As such, motivation exists to monitor these programs for
+    unusual activity.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-85731-8
+
+references:
+    disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
+    nist: AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a)
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    stigid@sle15: SLES-15-030400
+
+ocil_clause: 'it is not the case'
+
+ocil: |-
+    To verify that auditing of privileged command use is configured, run the
+    following command:
+    <pre>
+      sudo auditctl -l | grep -w '/sbin/modprobe'
+      -w /sbin/modprobe -p x -k modules
+    </pre>
+    It should return a relevant line in the audit rules.
+
+platform: machine
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /sbin/something -p x -k modules" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d
+echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/login.rules
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d
+echo "-w /sbin/something -p x -k modules" >> /etc/audit/rules.d/login.rules
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/delete.rules
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+res=`cat /etc/audit/rules.d/audit.rules | grep -w "\-w /sbin/modprobe -p x -k modules" | wc -l`
+
+if [[ res -eq 0 ]]
+  then
+     echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/audit.rules
+fi
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/sle15/profiles/stig.profile b/sle15/profiles/stig.profile
@@ -107,6 +107,7 @@ selections:
     - audit_rules_privileged_commands_gpasswd
     - audit_rules_privileged_commands_kmod
     - audit_rules_privileged_commands_mount
+    - audit_rules_privileged_commands_modprobe
     - audit_rules_privileged_commands_newgrp
     - audit_rules_privileged_commands_pam_timestamp_check
     - audit_rules_privileged_commands_passmass
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		#!/bin/bash

		echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/delete.rules