From 070e5c7e2d2ac18fc59f3fe83d364062f4883050 Mon Sep 17 00:00:00 2001
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Mon, 16 Dec 2019 07:20:11 +0100
Subject: [PATCH] audit: Filter-out unavailable AArch64 syscalls

AArch64 does not support all syscalls referenced by our audit rules,
so apply some filtering where appropiate.
See [1] for more information.

While at it, remove trailing white spaces where appropiate.

NOTE: AArch32 (or any other 32-bit ARM platform) syscalls were not
tested since we only target 64-bit ARM platforms.

[1] https://github.com/linux-audit/audit-userspace/issues/91

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Signed-off-by: Alexandru Antone <Alexandru.Antone@enea.com>
Change-Id: I5c6b7e5ebe94c7bd1aadcb2106931f21d9acf847
---
 infra-ansible.spec                                 |  2 +-
 roles/audit/templates/30-stig.rules.j2             | 60 +++++++++++++++-------
 .../templates/36-resource-management.rules.j2      |  2 +
 roles/audit/templates/42-injection.rules.j2        |  2 +
 roles/audit/templates/43-module-load.rules.j2      | 11 +++-
 roles/audit/templates/50-file-changes.rules.j2     |  4 ++
 .../audit/templates/53-kernel-parameters.rules.j2  |  2 +
 7 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/infra-ansible.spec b/infra-ansible.spec
index 26a0402..57905a0 100644
--- a/infra-ansible.spec
+++ b/infra-ansible.spec
@@ -15,7 +15,7 @@
 
 Name:           infra-ansible
 Version:        %{_version}
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Contains ansible playbook and roles for Akraino rec blueprint
 License:        %{_platform_licence}
 Source0:        %{name}-%{version}.tar.gz
diff --git a/roles/audit/templates/30-stig.rules.j2 b/roles/audit/templates/30-stig.rules.j2
index 14cc06a..add45f9 100644
--- a/roles/audit/templates/30-stig.rules.j2
+++ b/roles/audit/templates/30-stig.rules.j2
@@ -12,14 +12,36 @@
 ## the syscall file rules with a directory, like -F dir=/etc
 ## 5) You can search for the results on the key fields in the rules
 ##
+
+## Filter syscalls not available on certain platforms
 ##
+{%- set S_chmod = '-S chmod' %}
+{%- set S_chown = '-S chown' %}
+{%- set S_lchown = '-S lchown' %}
+{%- set S_creat = '-S creat' %}
+{%- set S_open = '-S open' %}
+{%- set S_rmdir = '-S rmdir' %}
+{%- set S_unlink = '-S unlink' %}
+{%- set S_rename = '-S rename' %}
+
+{% if ansible_architecture in ['aarch64'] %}
+    {%- set S_chmod = '' %}
+    {%- set S_chown = '' %}
+    {%- set S_lchown = '' %}
+    {%- set S_creat = '' %}
+    {%- set S_open = '' %}
+    {%- set S_rmdir = '' %}
+    {%- set S_unlink = '' %}
+    {%- set S_rename = '' %}
+{% endif %}
+
 ## (GEN002880: CAT II) The IAO will ensure the auditing software can
-## record the following for each audit event: 
-##- Date and time of the event 
-##- Userid that initiated the event 
-##- Type of event 
-##- Success or failure of the event 
-##- For I&A events, the origin of the request (e.g., terminal ID) 
+## record the following for each audit event:
+##- Date and time of the event
+##- Userid that initiated the event
+##- Type of event
+##- Success or failure of the event
+##- For I&A events, the origin of the request (e.g., terminal ID)
 ##- For events that introduce an object into a user's address space, and
 ## for object deletion events, the name of the object, and in MLS
 ## systems, the object's security level.
@@ -67,7 +89,7 @@
 
 ## (GEN002920: CAT III) The IAO will ensure audit files are backed up
 ## no less than weekly onto a different system than the system being
-## audited or backup media. 
+## audited or backup media.
 ##
 ## Can be done with cron script
 
@@ -100,20 +122,20 @@
 
 ##- Discretionary access control permission modification (unsuccessful
 ## and successful use of chown/chmod)
--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
+-a always,exit -F arch=b64 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
+-a always,exit -F arch=b32 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
 
-##- Unauthorized access attempts to files (unsuccessful) 
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access 
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
+##- Unauthorized access attempts to files (unsuccessful)
+-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access
+-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access
+-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access
+-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access
 
 ##- Use of privileged commands (unsuccessful and successful)
 ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
 #-a always,exit -F path=/bin/ping -F perm=x -F key=privileged
 
-##- Use of print command (unsuccessful and successful) 
+##- Use of print command (unsuccessful and successful)
 
 ##- Export to media (successful)
 ## You have to mount media before using it. You must disable all automounting
@@ -125,12 +147,12 @@
 ##- System startup and shutdown (unsuccessful and successful)
 
 ##- Files and programs deleted by the user (successful and unsuccessful)
--a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
--a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
+-a always,exit -F arch=b64 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete
+-a always,exit -F arch=b32 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete
 
-##- All system administration actions 
+##- All system administration actions
 ##- All security personnel actions
-## 
+##
 ## Look for pam_tty_audit and add it to your login entry point's pam configs.
 ## If that is not found, use sudo which should be patched to record its
 ## commands to the audit system. Do not allow unrestricted root shells or
diff --git a/roles/audit/templates/36-resource-management.rules.j2 b/roles/audit/templates/36-resource-management.rules.j2
index 787324c..a2def2d 100644
--- a/roles/audit/templates/36-resource-management.rules.j2
+++ b/roles/audit/templates/36-resource-management.rules.j2
@@ -1,6 +1,8 @@
 ## resource management
+{% if ansible_architecture not in ['aarch64'] %}
 -a always,exit -F arch=b32 -S modify_ldt -F key=32bit_modify_ldt
 -a always,exit -F arch=b64 -S modify_ldt -F key=64bit_modify_ldt
+{% endif %}
 -a always,exit -F arch=b32 -S move_pages -F key=32bit_move_pages
 -a always,exit -F arch=b64 -S move_pages -F key=64bit_move_pages
 -a always,exit -F arch=b32 -S set_mempolicy -F key=32bit_set_mempolicy
diff --git a/roles/audit/templates/42-injection.rules.j2 b/roles/audit/templates/42-injection.rules.j2
index ca2b423..5344d95 100644
--- a/roles/audit/templates/42-injection.rules.j2
+++ b/roles/audit/templates/42-injection.rules.j2
@@ -22,8 +22,10 @@
 -a always,exit -F arch=b64 -S prlimit64 -F key=64bit_prlimit64
 -a always,exit -F arch=b32 -S unshare -F key=32bit_unshare
 -a always,exit -F arch=b64 -S unshare -F key=64bit_unshare
+{% if ansible_architecture not in ['aarch64'] %}
 -a always,exit -F arch=b32 -S set_thread_area -F key=32bit_set_thread_area
 -a always,exit -F arch=b64 -S set_thread_area -F key=64bit_set_thread_area
+{% endif %}
 -a always,exit -F arch=b32 -S sched_setattr -F key=32bit_sched_setattr
 -a always,exit -F arch=b64 -S sched_setattr -F key=64bit_sched_setattr
 -a always,exit -F arch=b32 -S pivot_root -F key=32bit_pivot_root
diff --git a/roles/audit/templates/43-module-load.rules.j2 b/roles/audit/templates/43-module-load.rules.j2
index 8c266f5..e6f2ac4 100644
--- a/roles/audit/templates/43-module-load.rules.j2
+++ b/roles/audit/templates/43-module-load.rules.j2
@@ -1,6 +1,13 @@
 ## These rules watch for kernel module insertion
+{%- set S_create_module = '-S create_module' %}
+{%- set S_kexec_file_load = '-S kexec_file_load' %}
+{# Filter syscalls not available on certain platforms #}
+{% if ansible_architecture in ['aarch64'] %}
+    {%- set S_create_module = '' %}
+    {%- set S_kexec_file_load = '' %}
+{% endif %}
 -w /usr/sbin/insmod -p x -k modules
 -w /usr/sbin/rmmod -p x -k modules
 -w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -S kexec_file_load -S kexec_load -k modules
--a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module {{ S_create_module }} -S finit_module {{ S_kexec_file_load }} -S kexec_load -k modules
+-a always,exit -F arch=b32 -S init_module -S delete_module {{ S_create_module }} -S finit_module -k modules
diff --git a/roles/audit/templates/50-file-changes.rules.j2 b/roles/audit/templates/50-file-changes.rules.j2
index d7d7aa6..c81c6a5 100644
--- a/roles/audit/templates/50-file-changes.rules.j2
+++ b/roles/audit/templates/50-file-changes.rules.j2
@@ -13,11 +13,15 @@
 -w /usr/lib64 -p aw -k usr-lib64
 -w /var/log/audit/ -k audit-logs
 -w /var/log/sudo.log -p wa -k actions
+{% if ansible_architecture not in ['aarch64'] %}
 -a always,exit -F arch=b64 -S epoll_wait_old -F key=64bit_epoll_wait_old
+{% endif %}
 -a always,exit -F arch=b32 -S inotify_add_watch -F key=32bit_inotify_add_watch
 -a always,exit -F arch=b64 -S inotify_add_watch -F key=64bit_inotify_add_watch
+{% if ansible_architecture not in ['aarch64'] %}
 -a always,exit -F arch=b32 -S inotify_init -F key=32bit_inotify_init
 -a always,exit -F arch=b64 -S inotify_init -F key=64bit_inotify_init
+{% endif %}
 -a always,exit -F arch=b32 -S inotify_init1 -F key=32bit_inotify_init1
 -a always,exit -F arch=b64 -S inotify_init1 -F key=64bit_inotify_init1
 -a always,exit -F arch=b32 -S inotify_rm_watch -F key=32bit_inotify_rm_watch
diff --git a/roles/audit/templates/53-kernel-parameters.rules.j2 b/roles/audit/templates/53-kernel-parameters.rules.j2
index ee1c4fc..5c4ebe9 100644
--- a/roles/audit/templates/53-kernel-parameters.rules.j2
+++ b/roles/audit/templates/53-kernel-parameters.rules.j2
@@ -1,3 +1,5 @@
 ## reading kernel parameters
+{% if ansible_architecture not in ['aarch64'] %}
 -a always,exit -F arch=b32 -S _sysctl -F key=32bit__sysctl
 -a always,exit -F arch=b64 -S _sysctl -F key=64bit__sysctl
+{% endif %}
-- 
2.16.6