Merge pull request #5985 from vojtapolasek/add_audit_mount_rules_stig

implement V-72095 for stig
ComplianceAsCode · Aug 13, 2020 · c2a49dd · c2a49dd
2 parents 461122a + 583adc4
commit c2a49dd
Show file tree

Hide file tree

Showing 9 changed files with 10 additions and 193 deletions.
diff --git a/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -37,10 +37,12 @@ identifiers:
     cce@rhcos4: CCE-82595-0
 
 references:
-    disa: CCI-000172
+    disa: CCI-000172,CCI-002884
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     ospp: FAU_GEN.1.1.c
     vmmsrg: SRG-OS-000471-VMM-001910
+    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172
+    stigid@rhel7: RHEL-07-030740
 
 ocil_clause: 'it is not the case'
 

diff --git a/.../guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/.../guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml
diff --git a/...x_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/bash/shared.sh b/...x_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/bash/shared.sh
diff --git a/..._os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml b/..._os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
@@ -53,9 +53,13 @@ references:
     iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
 
-ocil_clause: 'there is not output'
+ocil_clause: 'there is no output'
 
 ocil: |-
     To verify that auditing is configured for all media exportation events, run the following command:
     <pre>$ sudo auditctl -l | grep syscall | grep mount</pre>
 
+template:
+    name: audit_rules_dac_modification
+    vars:
+        attr: mount
diff --git a/...stem/auditing/auditd_configure_rules/audit_rules_media_export/tests/correct_rules.pass.sh b/...stem/auditing/auditd_configure_rules/audit_rules_media_export/tests/correct_rules.pass.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
 
-# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-
 echo "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mount" >> /etc/audit/rules.d/mount.rules
 echo "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mount" >> /etc/audit/rules.d/mount.rules
diff --git a/...em/auditing/auditd_configure_rules/audit_rules_media_export/tests/rules_not_there.fail.sh b/...em/auditing/auditd_configure_rules/audit_rules_media_export/tests/rules_not_there.fail.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules
 true
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
@@ -297,3 +297,4 @@ selections:
     - mount_option_dev_shm_nodev
     - mount_option_dev_shm_noexec
     - mount_option_dev_shm_nosuid
+    - audit_rules_privileged_commands_mount
diff --git a/shared/templates/template_OVAL_audit_rules_dac_modification b/shared/templates/template_OVAL_audit_rules_dac_modification
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="audit_rules_dac_modification_{{{ ATTR }}}" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
     <metadata>
       <title>Audit Discretionary Access Control Modification Events - {{{ ATTR }}}</title>
       {{{- oval_affected(products) }}}