OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share #13273

jan-cerny · 2025-04-02T07:39:44Z

This commit changes rule audit_rules_mac_modification_usr_share. It will use the audit_rules_watch template instead of static checks and remediations. The advantage is reducing code duplication. As a result, the rule will support modern style audit watches on RHEL 10.

The change in the templated OVAL prevents collisions with other rules that use the audit_rules_watch template and have "selinux" as a basename part of the path parameter.

Fixes OPENSCAP-4926

This commit changes rule audit_rules_mac_modification_usr_share. It will use the audit_rules_watch template instead of static checks and remediations. The advantage is reducing code duplication. As a result, the rule will support modern style audit watches on RHEL 10.

github-actions · 2025-04-02T08:03:24Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share'.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -3,14 +3,17 @@
 Record Events that Modify the System's Mandatory Access Controls in usr/share
 
 [description]:
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+following lines to a file with suffix .rules in the
 directory /etc/audit/rules.d:
+
 -w /usr/share/selinux/ -p wa -k MAC-policy
+
 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules:
+
 -w /usr/share/selinux/ -p wa -k MAC-policy
 
 [reference]:

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- oval:ssg-audit_rules_mac_modification_usr_share:def:1
+++ oval:ssg-audit_rules_mac_modification_usr_share:def:1
@@ -1,7 +1,7 @@
 criteria OR
 criteria AND
 extend_definition oval:ssg-audit_rules_augenrules:def:1
-criterion oval:ssg-test_armm_selinux_watch_augenrules_usr_share:tst:1
+criterion oval:ssg-test_audit_rules_mac_modification_usr_share_augenrules:tst:1
 criteria AND
 extend_definition oval:ssg-audit_rules_auditctl:def:1
-criterion oval:ssg-test_armm_selinux_watch_auditctl_usr_share:tst:1
+criterion oval:ssg-test_audit_rules_mac_modification_usr_share_auditctl:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -2,6 +2,12 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+
+
+
+
+
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
 #

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -12,7 +12,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -36,7 +36,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -62,7 +62,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -86,7 +86,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -110,7 +110,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -136,7 +136,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -160,7 +160,7 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
 - name: Record Events that Modify the System's Mandatory Access Controls in usr/share
@@ -187,5 +187,5 @@
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy

codeclimate · 2025-04-02T08:31:56Z

Code Climate has analyzed commit 3327d85 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

vojtapolasek

Looks good, thank you. I tested locally with automatus and tests pass.

jan-cerny added Update Rule Issues or pull requests related to Rules updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Apr 2, 2025

jan-cerny added this to the 0.1.77 milestone Apr 2, 2025

jan-cerny force-pushed the mac_modification_usr_share branch from bdf0335 to 3327d85 Compare April 2, 2025 07:59

jan-cerny changed the title ~~Use template in audit_rules_mac_modification_usr_share~~ OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share Apr 2, 2025

vojtapolasek self-assigned this Apr 2, 2025

vojtapolasek approved these changes Apr 2, 2025

View reviewed changes

vojtapolasek merged commit 78b94b8 into ComplianceAsCode:master Apr 2, 2025
106 of 110 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share #13273

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share #13273

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share #13273

OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share #13273

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!