Remove Default Configuration to Disable Syscall Auditing

An XCCDF Rule

Description

By default, SUSE Linux Enterprise 12 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:

-a task,never

Rationale

Audit rules for syscalls do not take effect unless this line is removed.

ID: xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing
Severity: Medium
References: CCI-000366

SRG-OS-000480-GPOS-00227

SLES-12-020199

CCE-83119-8

SV-217204r991589_rule
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel-default; then
if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
    IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service)

    if [[ "$IS_AUGENRULES" == *"augenrules"* ]] ; then        for f in /etc/audit/rules.d/*.rules ; do
            sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f"
        done
    else
        # auditctl is used
        sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' /etc/audit/audit.rules
    fi

    systemctl is-active --quiet auditd.service
    if [ $? -ne 0 ] ; then
        systemctl restart auditd.service
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: Service facts
  service_facts: null
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if auditctl rules script being used
  ansible.builtin.find:
    paths: /usr/lib/systemd/system/
    patterns: auditd.service
    contains: ^\s*(ExecStartPost|Requires)\s*=[\s\-]*[\w\/]*auditctl
  register: auditd_svc_auditctl_used
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check augenrules rules script being used
  ansible.builtin.find:
    paths: /usr/lib/systemd/system/
    patterns: auditd.service
    contains: ^\s*(ExecStartPost|Requires)\s*=[\s\-]*[\w\/]*augenrules
  register: auditd_svc_augen_used
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Find audit rules in /etc/audit/rules.d
  find:
    paths: /etc/audit/rules.d
    file_type: file
    follow: true
  register: find_audit_rules_result
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  - '"auditd.service" in ansible_facts.services'
  - auditd_svc_augen_used is defined and auditd_svc_augen_used.matched >= 1
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Enable syscall auditing (augenrules)
  lineinfile:
    path: '{{ item.path }}'
    regex: ^(?i)(\s*-a\s+task,never)\s*$
    line: '#-a task,never'
  with_items: '{{ find_audit_rules_result.files }}'
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  - '"auditd.service" in ansible_facts.services'
  - auditd_svc_augen_used is defined and auditd_svc_augen_used.matched >= 1
  register: augenrules_syscall_auditing_rule_update_result
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Enable syscall auditing (auditctl)
  lineinfile:
    path: /etc/audit/audit.rules
    regex: ^(?i)(\s*-a\s+task,never)\s*$
    line: '#-a task,never'
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  - '"auditd.service" in ansible_facts.services'
  - auditd_svc_auditctl_used is defined and auditd_svc_auditctl_used.matched >= 1
  register: auditctl_syscall_auditing_rule_update_result
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Restart auditd.service
  systemd:
    name: auditd.service
    state: restarted
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-default" in ansible_facts.packages'
  - ansible_facts.services["auditd.service"].state == "running"
  - (augenrules_syscall_auditing_rule_update_result.changed or auditctl_syscall_auditing_rule_update_result.changed)
  tags:
  - CCE-83119-8
  - DISA-STIG-SLES-12-020199
  - audit_rules_enable_syscall_auditing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remove Default Configuration to Disable Syscall Auditing

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet