Add audit monitoring for SELinux policy changes in /var/lib/selinux#14367
Add audit monitoring for SELinux policy changes in /var/lib/selinux#14367jan-cerny merged 6 commits intoComplianceAsCode:masterfrom
Conversation
|
Skipping CI for Draft Pull Request. |
|
/packit retest-failed |
|
/packit build |
88f190a to
313aae3
Compare
|
/packit retest-failed |
| cis@sle12: 4.1.6 | ||
| cis@sle15: 4.1.6 | ||
| cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 | ||
| cui: 3.1.8 | ||
| hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) | ||
| isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 | ||
| isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' | ||
| iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 | ||
| nist: AU-2(d),AU-12(c),CM-6(a) | ||
| nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 | ||
| pcidss: Req-10.5.5 |
There was a problem hiding this comment.
Are you sure about all these references? Have you verified they're correct? If not, you can remove them. They can be added later when a need arise.
controls/hipaa.yml
Outdated
| - audit_rules_immutable | ||
| - audit_rules_mac_modification | ||
| - audit_rules_mac_modification_usr_share | ||
| - audit_rules_mac_modification_var_lib_selinux |
There was a problem hiding this comment.
Why do you add the new rule to HIPAA? Isn't it out of scope of for now?
Adding the rule to HIPAA means that you add the rule to SUSE product profiles. It also caused the need for adding CCEs for SUSE products. Both actions need to be consulted with SUSE maintainers.
Please consider reducing the scope of the PR, I think you can add the rule only to RHEL CIS profiles.
There was a problem hiding this comment.
Fixed in d51d00e. I've limited the new rule only to Fedora product for now
| # packages = audit | ||
|
|
||
| if [[ "$style" == "modern" ]] ; then | ||
| sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules |
There was a problem hiding this comment.
This "sed inside sed" might be confusing for some people, I believe it would be more readable if the "escaped path" is extracted to a separate variable.
| title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux' | ||
|
|
||
| description: |- | ||
| {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}} |
There was a problem hiding this comment.
I think the description should mention the large log volume that it might create.
313aae3 to
65b278f
Compare
|
@Arden97: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
jan-cerny
left a comment
There was a problem hiding this comment.
The test scenarios pass for me. I think that it's fine to include this to our Fedora CIS profile because it can be used as a test profile for assessing the option of adding this rule in future RHEL benchmarks in future.
Description:
audit_rules_mac_modification_var_lib_selinuxto monitor/var/lib/selinux/directorysetup_augenrules_environment()macro to configure test environments foraugenrulesaudit_rules_watchtemplate tests to use the new environment setup macroRationale:
/var/lib/selinuxReview Hints:
automatusto verify, that new rule functions correctly on mentioned systems