By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall
auditing for performance reasons.
To make sure that syscall auditing works, this line must be removed from
/etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
Rationale
Audit rules for syscalls do not take effect unless this line is removed.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service)
if [[ "$IS_AUGENRULES" == *"augenrules"* ]] ; then
for f in /etc/audit/rules.d/*.rules ; do
sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f"
done
else
# auditctl is used
sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' /etc/audit/audit.rules
fi
systemctl is-active --quiet auditd.service
if [ $? -ne 0 ] ; then
systemctl restart auditd.service
fi
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Service facts
service_facts: null
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if auditctl rules script being used
ansible.builtin.find:
paths: /usr/lib/systemd/system/
patterns: auditd.service
contains: ^\s*(ExecStartPost|Requires)\s*=[\s\-]*[\w\/]*auditctl
register: auditd_svc_auditctl_used
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check augenrules rules script being used
ansible.builtin.find:
paths: /usr/lib/systemd/system/
patterns: auditd.service
contains: ^\s*(ExecStartPost|Requires)\s*=[\s\-]*[\w\/]*augenrules
register: auditd_svc_augen_used
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Find audit rules in /etc/audit/rules.d
find:
paths: /etc/audit/rules.d
file_type: file
follow: true
register: find_audit_rules_result
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"auditd.service" in ansible_facts.services'
- auditd_svc_augen_used is defined and auditd_svc_augen_used.matched >= 1
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Enable syscall auditing (augenrules)
lineinfile:
path: '{{ item.path }}'
regex: ^(?i)(\s*-a\s+task,never)\s*$
line: '#-a task,never'
with_items: '{{ find_audit_rules_result.files }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"auditd.service" in ansible_facts.services'
- auditd_svc_augen_used is defined and auditd_svc_augen_used.matched >= 1
register: augenrules_syscall_auditing_rule_update_result
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Enable syscall auditing (auditctl)
lineinfile:
path: /etc/audit/audit.rules
regex: ^(?i)(\s*-a\s+task,never)\s*$
line: '#-a task,never'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"auditd.service" in ansible_facts.services'
- auditd_svc_auditctl_used is defined and auditd_svc_auditctl_used.matched >= 1
register: auditctl_syscall_auditing_rule_update_result
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Restart auditd.service
systemd:
name: auditd.service
state: restarted
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_facts.services["auditd.service"].state == "running"
- (augenrules_syscall_auditing_rule_update_result.changed or auditctl_syscall_auditing_rule_update_result.changed)
tags:
- CCE-85706-0
- DISA-STIG-SLES-15-030820
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- audit_rules_enable_syscall_auditing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy