From ec0e121ab30659346143f0d2b8eb9c96588885c9 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 19 Dec 2024 10:29:01 -0600
Subject: [PATCH] Ensure audit rules.d are set 0600

---
 .../audit_rules_immutable/ansible/shared.yml              | 2 +-
 .../audit_rules_immutable/bash/shared.sh                  | 1 +
 .../audit_rules_immutable_login_uids/ansible/shared.yml   | 2 ++
 .../ansible/shared.yml                                    | 5 +++--
 .../audit_rules_system_shutdown/ansible/shared.yml        | 1 +
 shared/macros/10-ansible.jinja                            | 8 ++++----
 shared/macros/10-bash.jinja                               | 4 ++--
 shared/templates/audit_file_contents/ansible.template     | 6 +++---
 8 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 736d4c333e4..c47c0f21f3c 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -22,7 +22,7 @@
     path: "{{ item }}"
     create: True
     line: "-e 2"
-    mode: o-rwx
+    mode: g-rwx,o-rwx
   loop:
     - "/etc/audit/audit.rules"
     - "/etc/audit/rules.d/immutable.rules"
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
index b570780759a..436dfd26c15 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
@@ -21,4 +21,5 @@ do
 	echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
 	echo '-e 2' >> $AUDIT_FILE
 	chmod o-rwx $AUDIT_FILE
+	chmod g-rwx $AUDIT_FILE
 done
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml
index 94768073f31..288544044b1 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml
@@ -16,6 +16,7 @@
     path: '/etc/audit/audit.rules'
     line: '--loginuid-immutable'
     regexp: '^\s*--loginuid-immutable\s*$'
+    mode: '0600'
     create: true
   when: auditctl_used is defined and auditctl_used.matched >= 1
 
@@ -33,6 +34,7 @@
         path: '/etc/audit/rules.d/immutable.rules'
         line: '--loginuid-immutable'
         regexp: '^\s*--loginuid-immutable\s*$'
+        mode: '0600'
         create: true
       when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched == 0
   when: auditctl_used is defined and auditctl_used.matched == 0
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
index 340551b27df..8190f86e425 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
@@ -43,9 +43,10 @@
     path: /etc/audit/rules.d/privileged.rules
     line: "{{  item.rule  }}"
     regexp: "{{ item.regex }}"
+    mode: "0600"
     create: yes
   when:
-    - ('"auditd.service" in ansible_facts.services' or 
+    - ('"auditd.service" in ansible_facts.services' or
         '"augenrules.service" in ansible_facts.services')
   register: augenrules_audit_rules_privilege_function_update_result
   with_items: "{{ suid_audit_rules }}"
@@ -57,7 +58,7 @@
     regexp: "{{ item.regex }}"
     create: yes
   when:
-    - ('"auditd.service" in ansible_facts.services' or 
+    - ('"auditd.service" in ansible_facts.services' or
         '"augenrules.service" in ansible_facts.services')
   register: auditctl_audit_rules_privilege_function_update_result
   with_items: "{{ suid_audit_rules }}"
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
index b254116d3b1..c7c01a3e9da 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
@@ -23,6 +23,7 @@
   lineinfile:
     path: "{{ item }}"
     create: True
+    mode: "0600"
     line: "-f {{ var_audit_failure_mode }}"
   loop:
     - "/etc/audit/audit.rules"
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index d8726a40bba..ebb309a6e5b 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -454,7 +454,7 @@ The following macro remediates one audit watch rule in :code:`/etc/audit/rules.d
     path: "{{ all_files[0] }}"
     line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}"
     create: yes
-    mode: '0640'
+    mode: '0600'
   when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
 {{%- endmacro %}}
 
@@ -484,7 +484,7 @@ The following macro remediates one audit watch rule in :code:`/etc/audit/audit.r
     state: present
     dest: /etc/audit/audit.rules
     create: yes
-    mode: '0640'
+    mode: '0600'
   when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
 {{%- endmacro %}}
 
@@ -577,7 +577,7 @@ The macro requires following parameters:
     path: '{{ audit_file }}'
     line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
     create: true
-    mode: o-rwx
+    mode: g-rwx,o-rwx
     state: present
   when: syscalls_found | length == 0
 {{%- endmacro %}}
@@ -654,7 +654,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     path: '{{ audit_file }}'
     line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
     create: true
-    mode: o-rwx
+    mode: g-rwx,o-rwx
     state: present
   when: syscalls_found | length == 0
 {{%- endmacro %}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 928f3f24d95..5c83b26add8 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -390,7 +390,7 @@ then
     if [ ! -e "$key_rule_file" ]
     then
         touch "$key_rule_file"
-        chmod 0640 "$key_rule_file"
+        chmod 0600 "$key_rule_file"
     fi
     files_to_inspect+=("$key_rule_file")
 fi
@@ -1748,7 +1748,7 @@ then
     if [ ! -e "$file_to_inspect" ]
     then
         touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
+        chmod 0600 "$file_to_inspect"
     fi
 fi
 {{%- endif %}}
diff --git a/shared/templates/audit_file_contents/ansible.template b/shared/templates/audit_file_contents/ansible.template
index a262386cfbf..07a0ae4558e 100644
--- a/shared/templates/audit_file_contents/ansible.template
+++ b/shared/templates/audit_file_contents/ansible.template
@@ -10,7 +10,7 @@
     )
 }}}
 
-- name: Remove any permissions from other group
-  file:
+- name: {{{ rule_title }}} - Remove any permissions from group and other
+  ansible.builtin.file:
     path: {{{ FILEPATH }}}
-    mode: o-rwx
+    mode: g-rwx,o-rwx