Add new template audit_rules_watch

This template will allow to easily create rules that check audit
file system rules, also called watches.

docs/templates/template_reference.md

@@ -172,6 +172,17 @@
 
 -   Languages: Ansible, Bash, OVAL
 
+#### audit_rules_watch
+-   Check if there are file system watches configured in audit rules for the given path.
+
+-   Parameters:
+
+    -   **path** - path that should be part of the audit watch rule as a value
+        of `-w` argument, eg. `/etc/group`.
+
+-   Languages: Ansible, Bash, OVAL
+
+
 #### argument_value_in_line
 -   Checks that `argument=value` pair is present in (optionally) the
     line started with line_prefix (and, optionally, ending with

shared/templates/audit_rules_watch/ansible.template

@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}

shared/templates/audit_rules_watch/bash.template

@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+{{{ bash_fix_audit_watch_rule("auditctl", PATH, "wa", rule_id) }}}
+{{{ bash_fix_audit_watch_rule("augenrules", PATH, "wa", rule_id) }}}

shared/templates/audit_rules_watch/oval.template

@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if actions on '" ~ PATH ~ "' are configured to be audited") }}}
+
+    <criteria operator="OR">
+      <!-- Test the augenrules case -->
+      <criterion comment="audit {{{ PATH }}} augenrules" test_ref="test_{{{ rule_id }}}_augenrules" />
+      <!-- Test the auditctl case -->
+      <criterion comment="audit {{{ PATH }}} auditctl" test_ref="test_{{{ rule_id }}}_auditctl" />
+    </criteria>
+
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} augenrules" id="test_{{{ rule_id }}}_augenrules" version="1">
+    <ind:object object_ref="object_{{{ rule_id  }}}_augenrules" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id  }}}_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} auditctl" id="test_{{{ rule_id }}}_auditctl" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_auditctl" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

shared/templates/audit_rules_watch/template.py

@@ -0,0 +1,2 @@
+def preprocess(data, lang):
+    return data

shared/templates/audit_rules_watch/template.yml

@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval

shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa -k {{{ rule_id }}}" >> /etc/audit/audit.rules

shared/templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/audit.rules

shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w {{{ PATH }}} -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/rules.d/networkconfig.rules

shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/rules.d/networkconfig.rules

shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true