From a3a3a9466d38ad6ab7a6e4c32f3f60eb823e9ad1 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez-Fernandez Date: Wed, 7 Aug 2024 13:52:38 -0700 Subject: [PATCH 1/2] include missing rpm pkg managers Signed-off-by: Carlos Rodriguez-Fernandez --- nist/system/ksp-nist-cm-5-3-cm-14-signed-components.yaml | 3 +++ nist/system/ksp-nist-cm-7-5-software-install.yaml | 6 ++++++ ...i-4-execute-package-management-process-in-container.yaml | 3 +++ 3 files changed, 12 insertions(+) diff --git a/nist/system/ksp-nist-cm-5-3-cm-14-signed-components.yaml b/nist/system/ksp-nist-cm-5-3-cm-14-signed-components.yaml index 6eefca18..f95d2c11 100644 --- a/nist/system/ksp-nist-cm-5-3-cm-14-signed-components.yaml +++ b/nist/system/ksp-nist-cm-5-3-cm-14-signed-components.yaml @@ -20,6 +20,9 @@ spec: matchPaths: - path: /usr/sbin/alternatives - path: /usr/bin/dnf + - path: /usr/bin/dnf-3 + - path: /usr/bin/dnf5 + - path: /usr/bin/microdnf - path: /usr/bin/rpm - path: /usr/bin/yum - path: /usr/bin/rpmkeys diff --git a/nist/system/ksp-nist-cm-7-5-software-install.yaml b/nist/system/ksp-nist-cm-7-5-software-install.yaml index 730d74f7..b96fc798 100644 --- a/nist/system/ksp-nist-cm-7-5-software-install.yaml +++ b/nist/system/ksp-nist-cm-7-5-software-install.yaml @@ -42,6 +42,12 @@ spec: ownerOnly: true - path: /usr/bin/dnf ownerOnly: true + - path: /usr/bin/dnf-3 + ownerOnly: true + - path: /usr/bin/dnf5 + ownerOnly: true + - path: /usr/bin/microdnf + ownerOnly: true - path: /bin/dnf ownerOnly: true - path: /usr/bin/pacman diff --git a/nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml b/nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml index f8f7a632..fc221436 100644 --- a/nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml +++ b/nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml @@ -33,6 +33,9 @@ spec: - path: /bin/rpm - path: /usr/bin/dnf - path: /bin/dnf + - path: /usr/bin/dnf-3 + - path: /usr/bin/dnf5 + - path: /usr/bin/microdnf - path: /usr/bin/pacman - path: /usr/sbin/pacman - path: /bin/pacman From a2a0229312b2a77ef9100e7e918637157fdd0215 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez-Fernandez Date: Wed, 7 Aug 2024 14:39:58 -0700 Subject: [PATCH 2/2] fix process match for /sbin for redhat linux sys In redhat and fedora systems, /sbin/ is a symlink to /usr/sbin, preventing the process match from catching the execs. Signed-off-by: Carlos Rodriguez-Fernandez --- cis/system/ksp-audit-cis-mysql-1-5.yaml | 1 + cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml | 1 + elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml | 1 + golang/system/ksp-block-golang-generic-policy-1.yaml | 3 +++ malware/system/ksp-block-sysrv-hello-malware.yaml | 1 + metadata.yaml | 2 ++ nist/system/ksp-system-information-blockwithaudit.yaml | 1 + stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml | 1 + 8 files changed, 11 insertions(+) diff --git a/cis/system/ksp-audit-cis-mysql-1-5.yaml b/cis/system/ksp-audit-cis-mysql-1-5.yaml index 1a37f9ac..795a0789 100644 --- a/cis/system/ksp-audit-cis-mysql-1-5.yaml +++ b/cis/system/ksp-audit-cis-mysql-1-5.yaml @@ -18,4 +18,5 @@ spec: matchPaths: - path: /bin/false - path: /sbin/nologin + - path: /usr/sbin/nologin action: Audit diff --git a/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml b/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml index bf3a6b98..2111da6f 100644 --- a/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml +++ b/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml @@ -21,4 +21,5 @@ spec: - path: /usr/bin/auditd - path: /bin/auditd - path: /sbin/auditd + - path: /usr/sbin/auditd action: Block diff --git a/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml b/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml index 9848346c..6570b343 100644 --- a/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml +++ b/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml @@ -19,5 +19,6 @@ spec: - path: /bin/bash - path: /bin/sh - path: /sbin/sh + - path: /usr/sbin/sh - path: /bin/csh action: Audit diff --git a/golang/system/ksp-block-golang-generic-policy-1.yaml b/golang/system/ksp-block-golang-generic-policy-1.yaml index cc1dd6db..be589926 100644 --- a/golang/system/ksp-block-golang-generic-policy-1.yaml +++ b/golang/system/ksp-block-golang-generic-policy-1.yaml @@ -19,6 +19,9 @@ spec: - path: /sbin/ldconfig fromSource: - path: /usr/bin/python2.7 + - path: /usr/sbin/ldconfig + fromSource: + - path: /usr/bin/python2.7 - path: /usr/bin/whoami fromSource: - path: /bin/dash diff --git a/malware/system/ksp-block-sysrv-hello-malware.yaml b/malware/system/ksp-block-sysrv-hello-malware.yaml index 90e704c5..cda6fa62 100644 --- a/malware/system/ksp-block-sysrv-hello-malware.yaml +++ b/malware/system/ksp-block-sysrv-hello-malware.yaml @@ -22,6 +22,7 @@ spec: process: matchPaths: - path: /sbin/iptables + - path: /usr/sbin/iptables - path: /etc/iptables - path: /usr/share/iptables - path: /usr/sbin/ufw diff --git a/metadata.yaml b/metadata.yaml index 9ee2ffac..8a7b871d 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -18,6 +18,8 @@ policyRules: matchDirectories: - dir: /sbin/ recursive: true + - dir: /usr/sbin/ + recursive: true message: restricted maintenance tool access attempted selector: matchLabels: diff --git a/nist/system/ksp-system-information-blockwithaudit.yaml b/nist/system/ksp-system-information-blockwithaudit.yaml index d719f0c3..6e2897ec 100644 --- a/nist/system/ksp-system-information-blockwithaudit.yaml +++ b/nist/system/ksp-system-information-blockwithaudit.yaml @@ -28,4 +28,5 @@ spec: - path: /bin/lsblk - path: /usr/bin/lspci - path: /sbin/fdisk + - path: /usr/sbin/fdisk action: Block \ No newline at end of file diff --git a/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml b/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml index 4e5edd73..0ed5a241 100644 --- a/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml +++ b/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml @@ -13,5 +13,6 @@ spec: process: matchPaths: - path: /sbin/unix_update + - path: /usr/sbin/unix_update action: Audit