Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1896

anssi_bp28_high profile's audit rules are invalid on aarch64 architecture

    • None
    • Moderate
    • rhel-sst-security-compliance
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Known Issue
    • None

      +++ This bug was initially created as a clone of Bug #2232607 +++

      Description of problem:
      anssi_bp28_high profile's audit rules are invalid on aarch64 architecture.

      Version-Release number of selected component (if applicable):
      scap-security-guide-0.1.69-1.el8

      How reproducible:
      deterministic

      Steps to Reproduce:
      1. Remediate installed system using ANSSI High profile:
      oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_bp28_high --progress --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
      2. Examine auditd service status

      Actual results:

      1. systemctl status -l auditd
        ● auditd.service - Security Auditing Service
        Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
        Active: active (running) since Thu 2023-08-17 09:43:05 EDT; 8min ago
        Docs: man:auditd(8)
        https://github.com/linux-audit/audit-documentation
        Process: 769 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
        Process: 759 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
        Main PID: 766 (auditd)
        Tasks: 2 (limit: 8799)
        Memory: 7.6M
        CGroup: /system.slice/auditd.service
        └─766 /sbin/auditd

      Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com systemd[1]: Starting Security Auditing Service...
      Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: No plugins found, not dispatching events
      Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: Init complete, auditd 3.0.7 listening for events (startup state enable)
      Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: Syscall name unknown: creat
      Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: There was an error in line 7 of /etc/audit/audit.rules
      ====

      1. augenrules --load
        Syscall name unknown: creat
        There was an error in line 7 of /etc/audit/audit.rules
        ====
      1. head -n7 /etc/audit/audit.rules
        1. This file is automatically generated from /etc/audit/rules.d
          -D

      -w /etc/selinux/ -p wa -k MAC-policy
      -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
      -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
      ====

      Even after removing the offending line there are still other errors so audit rules on aarch64 architecture need to be revisited and fixed.

      Expected results:
      `augenrules --load` successfully loads all configured audit rules.

      Additional info:

      — Additional comment from Matus Marhefka on 2023-08-17 14:05:46 UTC —

      This issue was hidden as we are also missing service_auditd_enabled rule in the profile, the rule needs to be added into all ANSSI profiles which configure audit.

      — Additional comment from Vojtech Polasek on 2023-08-21 08:16:46 UTC —

      Analysis:

      • add service_auditd_enabled into the ANSSI profiles which use Audit rules
      • analyze rules used in ANSSI profiles and find out problematic rules which prevent Audit from starting on aarch64 platform. Then, create new / modify existing rules to make them working on aarch64.

              Unassigned Unassigned
              vpolasek@redhat.com Vojtech Polasek
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: