Add rule audit_rules_networkconfig_modification_network_scripts

This commit adds a new rule that checks if an audit watch is configured on /etc/sysconfig/network-scripts. Then, this rule is added to RHEL CIS profiles. The CIS Benchmarks require changes on /etc/sysconfig/network-scripts to be audited. We could add this audit rule to existing rule audit_rules_networkconfig_modification. However, we decided to create a new rule. The rule audit_rules_networkconfig_modification is already overloaded by having many items in a single rule. The rule is also used in many different profiles in many products so the rule scope change could cause unpredicted effects in some of these profiles. Also, we expect /etc/sysconfig/network-scripts to be deprecated in future RHEL so creating a separate rule will help us to easily exclude this audit rule from other products. Resolves: RHEL-29308
jan-cerny · Mar 18, 2024 · bdb5ce7 · bdb5ce7
1 parent d57f5e1
commit bdb5ce7
Show file tree

Hide file tree

Showing 12 changed files with 50 additions and 5 deletions.
diff --git a/components/audit.yml b/components/audit.yml
@@ -127,6 +127,7 @@ rules:
 - audit_rules_mac_modification_usr_share
 - audit_rules_media_export
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - audit_rules_privileged_commands
 - audit_rules_privileged_commands_apparmor_parser
 - audit_rules_privileged_commands_at

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -2554,8 +2554,8 @@ controls:
     - l2_workstation
     status: partial
     rules:
-    # TODO: we need to create a rule that adds audit rule for /etc/sysconfig/network-scripts/ directory as well
     - audit_rules_networkconfig_modification
+    - audit_rules_networkconfig_modification_network_scripts
 
   - id: 5.2.3.6
     title: Ensure use of privileged commands are collected (Automated)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -2454,8 +2454,8 @@ controls:
       - l2_workstation
     status: partial
     rules:
-    # TODO: we need to create a rule that adds audit rule for /etc/sysconfig/network-scripts/ directory as well
     - audit_rules_networkconfig_modification
+    - audit_rules_networkconfig_modification_network_scripts
 
   - id: 5.2.3.6
     title: Ensure use of privileged commands are collected (Automated)

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1294,6 +1294,7 @@ controls:
     status: automated
     rules:
       - audit_rules_networkconfig_modification
+      - audit_rules_networkconfig_modification_network_scripts
 
   - id: 4.1.3.6
     title: Ensure use of privileged commands is collected (Automated)

diff --git a/...ng/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml b/...ng/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Network Environment'
+
+description: |-
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following line to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts</pre>
+
+rationale: |-
+    The network environment should not be modified by anything other
+    than administrator action. Any change to network parameters should be
+    audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86938-8
+    cce@rhel8: CCE-86939-6
+    cce@rhel9: CCE-86940-4
+
+ocil_clause: 'the system is not configured to audit changes of the network configuration'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its network configuration,
+    run the following command:
+    <pre>auditctl -l | grep -E '/etc/sysconfig/network-scripts'</pre>
+    If the system is configured to watch for network configuration changes, a line should
+    be returned and <tt>perm=wa</tt> should be indicated.
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: /etc/sysconfig/network-scripts
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -382,9 +382,6 @@ CCE-86934-7
 CCE-86935-4
 CCE-86936-2
 CCE-86937-0
-CCE-86938-8
-CCE-86939-6
-CCE-86940-4
 CCE-86941-2
 CCE-86942-0
 CCE-86952-9

diff --git a/tests/data/profile_stability/rhel7/cis.profile b/tests/data/profile_stability/rhel7/cis.profile
@@ -239,6 +239,7 @@ selections:
 - ensure_gpgcheck_globally_activated
 - accounts_password_set_warn_age_existing
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - gid_passwd_group_same
 - file_groupownership_sshd_pub_key
 - audit_rules_unsuccessful_file_modification_open

diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l2.profile b/tests/data/profile_stability/rhel7/cis_workstation_l2.profile
@@ -235,6 +235,7 @@ selections:
 - ensure_gpgcheck_globally_activated
 - accounts_password_set_warn_age_existing
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - gid_passwd_group_same
 - file_groupownership_sshd_pub_key
 - audit_rules_unsuccessful_file_modification_open

diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
@@ -387,6 +387,7 @@ selections:
 - file_groupowner_backup_etc_passwd
 - sysctl_net_ipv6_conf_default_accept_source_route
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - package_audit_installed
 - accounts_password_pam_difok
 - account_disable_post_pw_expiration

diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -381,6 +381,7 @@ selections:
 - file_groupowner_backup_etc_passwd
 - sysctl_net_ipv6_conf_default_accept_source_route
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - package_audit_installed
 - accounts_password_pam_difok
 - account_disable_post_pw_expiration

diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -23,6 +23,7 @@ selections:
 - package_setroubleshoot_removed
 - audit_rules_dac_modification_lsetxattr
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - sysctl_net_ipv4_conf_default_log_martians
 - audit_rules_unsuccessful_file_modification_truncate
 - auditd_data_retention_space_left_action

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -22,6 +22,7 @@ selections:
 - file_owner_backup_etc_shadow
 - audit_rules_dac_modification_lsetxattr
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_network_scripts
 - sysctl_net_ipv4_conf_default_log_martians
 - audit_rules_unsuccessful_file_modification_truncate
 - auditd_data_retention_space_left_action