audit: Filter-out unavailable AArch64 syscalls

[ta/infra-ansible.git] / roles / audit / templates / 30-stig.rules.j2

diff --git a/roles/audit/templates/30-stig.rules.j2 b/roles/audit/templates/30-stig.rules.j2
index 14cc06a..add45f9 100644 (file)
--- a/roles/audit/templates/30-stig.rules.j2
+++ b/roles/audit/templates/30-stig.rules.j2
@@ -12,14 +12,36 @@
 ## the syscall file rules with a directory, like -F dir=/etc
 ## 5) You can search for the results on the key fields in the rules
 ##
+
+## Filter syscalls not available on certain platforms
 ##
+{%- set S_chmod = '-S chmod' %}
+{%- set S_chown = '-S chown' %}
+{%- set S_lchown = '-S lchown' %}
+{%- set S_creat = '-S creat' %}
+{%- set S_open = '-S open' %}
+{%- set S_rmdir = '-S rmdir' %}
+{%- set S_unlink = '-S unlink' %}
+{%- set S_rename = '-S rename' %}
+
+{% if ansible_architecture in ['aarch64'] %}
+    {%- set S_chmod = '' %}
+    {%- set S_chown = '' %}
+    {%- set S_lchown = '' %}
+    {%- set S_creat = '' %}
+    {%- set S_open = '' %}
+    {%- set S_rmdir = '' %}
+    {%- set S_unlink = '' %}
+    {%- set S_rename = '' %}
+{% endif %}
+
 ## (GEN002880: CAT II) The IAO will ensure the auditing software can
-## record the following for each audit event: 
-##- Date and time of the event 
-##- Userid that initiated the event 
-##- Type of event 
-##- Success or failure of the event 
-##- For I&A events, the origin of the request (e.g., terminal ID) 
+## record the following for each audit event:
+##- Date and time of the event
+##- Userid that initiated the event
+##- Type of event
+##- Success or failure of the event
+##- For I&A events, the origin of the request (e.g., terminal ID)
 ##- For events that introduce an object into a user's address space, and
 ## for object deletion events, the name of the object, and in MLS
 ## systems, the object's security level.
@@ -67,7 +89,7 @@
 
 ## (GEN002920: CAT III) The IAO will ensure audit files are backed up
 ## no less than weekly onto a different system than the system being
-## audited or backup media. 
+## audited or backup media.
 ##
 ## Can be done with cron script
 
@@ -100,20 +122,20 @@
 
 ##- Discretionary access control permission modification (unsuccessful
 ## and successful use of chown/chmod)
--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
+-a always,exit -F arch=b64 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
+-a always,exit -F arch=b32 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
 
-##- Unauthorized access attempts to files (unsuccessful) 
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access 
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
+##- Unauthorized access attempts to files (unsuccessful)
+-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access
+-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access
+-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access
+-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access
 
 ##- Use of privileged commands (unsuccessful and successful)
 ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
 #-a always,exit -F path=/bin/ping -F perm=x -F key=privileged
 
-##- Use of print command (unsuccessful and successful) 
+##- Use of print command (unsuccessful and successful)
 
 ##- Export to media (successful)
 ## You have to mount media before using it. You must disable all automounting
@@ -125,12 +147,12 @@
 ##- System startup and shutdown (unsuccessful and successful)
 
 ##- Files and programs deleted by the user (successful and unsuccessful)
--a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
--a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
+-a always,exit -F arch=b64 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete
+-a always,exit -F arch=b32 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete
 
-##- All system administration actions 
+##- All system administration actions
 ##- All security personnel actions
-## 
+##
 ## Look for pam_tty_audit and add it to your login entry point's pam configs.
 ## If that is not found, use sudo which should be patched to record its
 ## commands to the audit system. Do not allow unrestricted root shells or