Enable Auditing to Start Prior to the Audit Daemon in zIPL

An XCCDF Rule

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit=1 included in its options.
To ensure that new kernels and boot entries continue to enable audit, add audit=1 to /etc/kernel/cmdline.

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

ID: xccdf_org.ssgproject.content_rule_zipl_audit_argument
Severity: Medium
References: FAU_GEN.1

CCE-83321-0
Updated: about 1 year ago

- name: Ensure BLS boot entries options contain audit=1
  block:

  - name: 'Check how many boot entries exist '
    find:
      paths: /boot/loader/entries/      patterns: '*.conf'
    register: n_entries

  - name: Check how many boot entries set audit=1
    find:
      paths: /boot/loader/entries/
      contains: ^options .*audit=1.*$
      patterns: '*.conf'
    register: n_entries_options

  - name: Update boot entries options
    command: grubby --update-kernel=ALL --args="audit=1"
    when: n_entries is defined and n_entries_options is defined and n_entries.matched
      != n_entries_options.matched

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains audit=1
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*audit=1.*$
    register: cmdline_find

  - name: Add /etc/kernel/cmdline contains audit=1
    lineinfile:
      create: true
      path: /etc/kernel/cmdline
      line: audit=1
    when: cmdline_stat is defined and not cmdline_stat.stat.exists

  - name: Append /etc/kernel/cmdline contains audit=1
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)$
      line: \1 audit=1
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched == 0
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83321-0
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_audit_argument

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="audit=1"
# Ensure new kernels and boot entries retain the boot option
if [ ! -f /etc/kernel/cmdline ]; then
    echo "audit=1" > /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline; then
    
    sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Auditing to Start Prior to the Audit Daemon in zIPL

Description

Rationale

Remediation - Ansible

Remediation - Shell Script