Add audit monitoring for SELinux policy changes in /var/lib/selinux #14367
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/packit retest-failed |
|
/packit build |
Arden97
force-pushed
the
auditd_var_lib_selinux
branch
from
88f190a to
313aae3
Compare
Arden97
added
New Rule
Arden97
requested review from
a team,
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/packit retest-failed |
|
@Arden97: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| cis@sle12: 4.1.6 | ||
| cis@sle15: 4.1.6 | ||
| cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 | ||
| cui: 3.1.8 | ||
| hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) | ||
| isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 | ||
| isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' | ||
| iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 | ||
| nist: AU-2(d),AU-12(c),CM-6(a) | ||
| nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 | ||
| pcidss: Req-10.5.5 |
There was a problem hiding this comment.
Are you sure about all these references? Have you verified they're correct? If not, you can remove them. They can be added later when a need arise.
| - audit_rules_immutable | ||
| - audit_rules_mac_modification | ||
| - audit_rules_mac_modification_usr_share | ||
| - audit_rules_mac_modification_var_lib_selinux |
There was a problem hiding this comment.
Why do you add the new rule to HIPAA? Isn't it out of scope of for now?
Adding the rule to HIPAA means that you add the rule to SUSE product profiles. It also caused the need for adding CCEs for SUSE products. Both actions need to be consulted with SUSE maintainers.
Please consider reducing the scope of the PR, I think you can add the rule only to RHEL CIS profiles.
| # packages = audit | ||
|
|
||
| if [[ "$style" == "modern" ]] ; then | ||
| sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules |
There was a problem hiding this comment.
This "sed inside sed" might be confusing for some people, I believe it would be more readable if the "escaped path" is extracted to a separate variable.
| title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux' | ||
|
|
||
| description: |- | ||
| {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}} |
There was a problem hiding this comment.
I think the description should mention the large log volume that it might create.
2 participants
Description:
audit_rules_mac_modification_var_lib_selinuxto monitor/var/lib/selinux/directorysetup_augenrules_environment()macro to configure test environments foraugenrulesaudit_rules_watchtemplate tests to use the new environment setup macroRationale:
/var/lib/selinuxReview Hints:
automatusto verify, that new rule functions correctly on mentioned systems