Skip to content

CMP-4338: Updated the audit rules to properly handle the RHCOS4 audit system config #14812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abushkin-redhat wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CMP-4338: Updated the audit rules to properly handle the RHCOS4 audit system config #14812

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9a8473f
Resolves JIRA issue CMP-4338: Updated the audit rules to properly han…
Jun 12, 2026
440aa2c
Modified these files to fix the typo of having 'access' mispelled as …
Jun 12, 2026
c086a44
Removed ocp4 tags from conditionals.
Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_acccess_var_log_kube_audit_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_access_var_log_kube_audit_augenrules" />
</criteria>

<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_acccess_var_log_kube_audit_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_access_var_log_kube_audit_auditctl" />
</criteria>

</criteria>
Expand All @@ -26,10 +26,10 @@

<!-- directory access /var/log/audit augenrule -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_kube_audit_augenrules" version="1">
<ind:object object_ref="object_directory_acccess_var_log_kube_audit_augenrules" />
comment="defined audit rule must exist" id="test_directory_access_var_log_kube_audit_augenrules" version="1">
<ind:object object_ref="object_directory_access_var_log_kube_audit_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_kube_audit_augenrules" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_kube_audit_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_kube_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand All @@ -38,10 +38,10 @@

<!-- directory access /var/log/audit auditctl -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_kube_audit_auditctl" version="1">
<ind:object object_ref="object_directory_acccess_var_log_kube_audit_auditctl" />
comment="defined audit rule must exist" id="test_directory_access_var_log_kube_audit_auditctl" version="1">
<ind:object object_ref="object_directory_access_var_log_kube_audit_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_kube_audit_auditctl" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_kube_audit_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_kube_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand Down
16 changes: 8 additions & 8 deletions applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_acccess_var_log_oauth_audit_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_access_var_log_oauth_audit_augenrules" />
</criteria>

<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_acccess_var_log_oauth_audit_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_access_var_log_oauth_audit_auditctl" />
</criteria>

</criteria>
Expand All @@ -26,10 +26,10 @@

<!-- directory access /var/log/audit augenrule -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_oauth_audit_augenrules" version="1">
<ind:object object_ref="object_directory_acccess_var_log_oauth_audit_augenrules" />
comment="defined audit rule must exist" id="test_directory_access_var_log_oauth_audit_augenrules" version="1">
<ind:object object_ref="object_directory_access_var_log_oauth_audit_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_oauth_audit_augenrules" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_oauth_audit_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_oauth_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand All @@ -38,10 +38,10 @@

<!-- directory access /var/log/audit auditctl -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_oauth_audit_auditctl" version="1">
<ind:object object_ref="object_directory_acccess_var_log_oauth_audit_auditctl" />
comment="defined audit rule must exist" id="test_directory_access_var_log_oauth_audit_auditctl" version="1">
<ind:object object_ref="object_directory_access_var_log_oauth_audit_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_oauth_audit_auditctl" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_oauth_audit_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_oauth_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand Down
16 changes: 8 additions & 8 deletions applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_acccess_var_log_ocp_audit_augenrules" />
<criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_access_var_log_ocp_audit_augenrules" />
</criteria>

<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_acccess_var_log_ocp_audit_auditctl" />
<criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_access_var_log_ocp_audit_auditctl" />
</criteria>

</criteria>
Expand All @@ -26,10 +26,10 @@

<!-- directory access /var/log/audit augenrule -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_ocp_audit_augenrules" version="1">
<ind:object object_ref="object_directory_acccess_var_log_ocp_audit_augenrules" />
comment="defined audit rule must exist" id="test_directory_access_var_log_ocp_audit_augenrules" version="1">
<ind:object object_ref="object_directory_access_var_log_ocp_audit_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_ocp_audit_augenrules" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_ocp_audit_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_ocp_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand All @@ -38,10 +38,10 @@

<!-- directory access /var/log/audit auditctl -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_directory_acccess_var_log_ocp_audit_auditctl" version="1">
<ind:object object_ref="object_directory_acccess_var_log_ocp_audit_auditctl" />
comment="defined audit rule must exist" id="test_directory_access_var_log_ocp_audit_auditctl" version="1">
<ind:object object_ref="object_directory_access_var_log_ocp_audit_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_directory_acccess_var_log_ocp_audit_auditctl" version="1">
<ind:textfilecontent54_object id="object_directory_access_var_log_ocp_audit_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_ocp_audit_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
Expand Down
10 changes: 5 additions & 5 deletions ...x_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
</criteria>
</definition>

{{% macro test_directory_acccess_var_log_audit(audit_tool, filepath, bits) %}}
{{% macro test_directory_access_var_log_audit(audit_tool, filepath, bits) %}}
<ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit {{{ audit_tool }}} {{{ NAME }}}" id="test_{{{ rule_id }}}_{{{ audit_tool }}}_{{{ bits }}}bit" version="1">
<ind:object object_ref="object_{{{ rule_id }}}_{{{ audit_tool }}}_{{{ bits }}}bit" />
</ind:textfilecontent54_test>
Expand All @@ -41,9 +41,9 @@
</ind:textfilecontent54_object>
{{% endmacro %}}

{{{ test_directory_acccess_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "32") }}}
{{{ test_directory_acccess_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "64") }}}
{{{ test_directory_acccess_var_log_audit("auditctl", "/etc/audit/audit.rules", "32") }}}
{{{ test_directory_acccess_var_log_audit("auditctl", "/etc/audit/audit.rules", "64") }}}
{{{ test_directory_access_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "32") }}}
{{{ test_directory_access_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "64") }}}
{{{ test_directory_access_var_log_audit("auditctl", "/etc/audit/audit.rules", "32") }}}
{{{ test_directory_access_var_log_audit("auditctl", "/etc/audit/audit.rules", "64") }}}

</def-group>
19 changes: 19 additions & 0 deletions shared/checks/oval/audit_rules_auditctl.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,30 @@
<description>Test if auditctl is in use for audit rules.</description>
</metadata>

{{% if product in ['rhcos4'] %}}
<criteria operator="OR">
<criterion comment="audit auditctl via audit-rules.service" test_ref="test_audit_rules_auditctl_service" />
<criterion comment="audit auditctl via auditd.service" test_ref="test_audit_rules_auditctl" />
</criteria>
{{% else %}}
<criteria>
<criterion comment="audit auditctl" test_ref="test_audit_rules_auditctl" />
</criteria>
{{% endif %}}
</definition>

{{% if product in ['rhcos4'] %}}
<!-- RHCOS on RHEL 10+: auditctl runs via a separate audit-rules.service -->
<ind:textfilecontent54_test check="all" comment="audit auditctl via audit-rules.service" id="test_audit_rules_auditctl_service" version="1">
<ind:object object_ref="object_audit_rules_auditctl_service" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_audit_rules_auditctl_service" version="1">
<ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=\/sbin\/auditctl.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}

<!-- Test the auditctl case -->
<ind:textfilecontent54_test check="all" comment="audit auditctl" id="test_audit_rules_auditctl" version="1">
<ind:object object_ref="object_audit_rules_auditctl" />
Expand Down
19 changes: 19 additions & 0 deletions shared/checks/oval/audit_rules_augenrules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,30 @@
<description>Test if augenrules is enabled for audit rules.</description>
</metadata>

{{% if product in ['rhcos4'] %}}
<criteria operator="OR">
<criterion comment="audit augenrules via audit-rules.service" test_ref="test_audit_rules_augenrules_service" />
<criterion comment="audit augenrules via auditd.service" test_ref="test_audit_rules_augenrules" />
</criteria>
{{% else %}}
<criteria>
<criterion comment="audit augenrules" test_ref="test_audit_rules_augenrules" />
</criteria>
{{% endif %}}
</definition>

{{% if product in ['rhcos4'] %}}
<!-- RHCOS on RHEL 10+: augenrules runs via a separate audit-rules.service -->
<ind:textfilecontent54_test check="all" comment="audit augenrules via audit-rules.service" id="test_audit_rules_augenrules_service" version="1">
<ind:object object_ref="object_audit_rules_augenrules_service" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_audit_rules_augenrules_service" version="1">
<ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=(\/usr|)?\/sbin\/augenrules.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}

<!-- Test the augenrules case -->
<ind:textfilecontent54_test check="all" comment="audit augenrules" id="test_audit_rules_augenrules" version="1">
<ind:object object_ref="object_audit_rules_augenrules" />
Expand Down
Loading