Merge pull request #14132 from teacup-on-rockingchair/fixes_for_auditing_sle15_sle16

teacup-on-rockingchair · web-flow · commit 5a103d1f23d4 · 2025-11-27T10:15:07.000+02:00
Fixes for auditing rules in sle15 and sle16 previously disabled
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml
@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@rhel10: CCE-86188-0
+    cce@sle15: CCE-92695-6
 
 references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
@@ -14,7 +14,7 @@ severity: medium
 
 identifiers:
     cce@rhel10: CCE-90737-8
-
+    cce@sle15: CCE-92694-9
 
 references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = true
 # strategy = restrict
 # complexity = low
@@ -23,5 +23,3 @@ var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
                   separator=" = ",
                   separator_regex="\s*=\s*",
                   prefix_regex="^\s*", rule_id=rule_id)}}}
-
-
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-82897-0
     cce@rhel9: CCE-83686-6
     cce@rhel10: CCE-87429-7
+    cce@sle15: CCE-92696-4
 
 references:
     nist: CM-6,AU-3
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh
@@ -12,4 +12,8 @@ config_file="/etc/audit/auditd.conf"
 
 # remove any occurrence
 sed -i "s/^.*name_format.*$//" $config_file
+{{%- if product in ["sle15", "sle16"] %}}
+echo "name_format = fqd" >> $config_file
+{{%- else %}}
 echo "name_format = hostname" >> $config_file
+{{%- endif %}}
diff --git a/products/sle15/product.yml b/products/sle15/product.yml
@@ -23,6 +23,7 @@ release_key_fingerprint: "FEAB502539D846DB2C0961CA70AF9E8139DB7C82"
 oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2"
 
 aide_bin_path: "/usr/bin/aide"
+audisp_conf_path: "/etc/audit"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
@@ -12,13 +12,14 @@ description: |-
     Ensures PCI-DSS v4 security configuration settings are applied.
 
 selections:
-    -  pcidss_4:all:base
-    -  ensure_pam_wheel_group_empty
-    -  sshd_strong_kex=pcidss
-    -  sshd_approved_macs=cis_sle15
-    -  sshd_approved_ciphers=cis_sle15
-    -  var_multiple_time_servers=suse
-    -  var_multiple_time_pools=suse
+    - pcidss_4:all:base
+    - ensure_pam_wheel_group_empty
+    - sshd_strong_kex=pcidss
+    - sshd_approved_macs=cis_sle15
+    - sshd_approved_ciphers=cis_sle15
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse
+    - audit_rules_enable_syscall_auditing
 # Exclude from PCI DISS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_specify_multiple_servers'
@@ -28,9 +29,9 @@ selections:
     - '!service_timesyncd_enabled'
     - '!package_libreswan_installed'
     - '!use_pam_wheel_for_su'
-    -  use_pam_wheel_group_for_su
-    -  var_pam_wheel_group_for_su=cis
-    -  var_accounts_tmout=15_min
+    - use_pam_wheel_group_for_su
+    - var_pam_wheel_group_for_su=cis
+    - var_accounts_tmout=15_min
 # Following rules once had a prodtype incompatible with the sle15 product
     - '!aide_periodic_cron_checking'
     - '!accounts_password_pam_dcredit'
@@ -50,7 +51,6 @@ selections:
     - '!gnome_gdm_disable_guest_login'
     - '!accounts_password_pam_minlen'
     - '!no_password_auth_for_systemaccounts'
-    - '!auditd_name_format'
     - '!file_groupowner_user_cfg'
     - '!directory_access_var_log_audit'
     - '!ensure_root_password_configured'
@@ -64,7 +64,5 @@ selections:
     - '!dconf_gnome_disable_automount_open'
     - '!network_nmcli_permissions'
     - '!package_cryptsetup-luks_installed'
-    - '!audit_rules_file_deletion_events_renameat2'
-    - '!audit_rules_mac_modification_etc_selinux'
     - '!audit_rules_dac_modification_fchmodat2'
     - '!accounts_password_pam_unix_remember'
diff --git a/products/sle16/controls/base_sle16/0500_audit.yml b/products/sle16/controls/base_sle16/0500_audit.yml
@@ -33,3 +33,49 @@ controls:
       status: automated
       rules:
           - display_login_attempts
+
+    - id: SLES-16-16016520
+      levels:
+          - pcidss4
+      title: SLE16 system should audit syscalls
+      status: automated
+      rules:
+          - audit_rules_enable_syscall_auditing
+
+    - id: SLES-16-16016525
+      levels:
+          - pcidss4
+          - anssi_minimal
+          - hipaa
+      title: SLE16 system should audit renameat2 syscalls
+      status: automated
+      rules:
+          - audit_rules_file_deletion_events_renameat2
+
+    - id: SLES-16-16016530
+      levels:
+          - pcidss4
+          - anssi_minimal
+      title: SLE16 system should audit SELinux settings modifications
+      status: automated
+      rules:
+          - audit_rules_mac_modification_etc_selinux
+
+    - id: SLES-16-16016535
+      levels:
+          - pcidss4
+      title: SLE16 system should record the computer node name in the audit events
+      status: automated
+      rules:
+          - var_auditd_name_format=fqd
+          - auditd_name_format
+
+    - id: SLES-16-16016540
+      levels:
+          - pcidss4
+          - anssi_minimal
+          - hipaa
+      title: SLE16 system should audit fchmodat2 syscalls
+      status: automated
+      rules:
+          - audit_rules_dac_modification_fchmodat2
diff --git a/products/sle16/product.yml b/products/sle16/product.yml
@@ -18,6 +18,7 @@ pkg_manager: "zypper"
 pkg_manager_config_file: "/etc/zypp/zypp.conf"
 
 aide_bin_path: "/usr/bin/aide"
+audisp_conf_path: "/etc/audit"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -75,6 +75,3 @@ CCE-92690-7
 CCE-92691-5
 CCE-92692-3
 CCE-92693-1
-CCE-92694-9
-CCE-92695-6
-CCE-92696-4

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux`
	`1`	`+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle`
`2`	`2`	`# reboot = false`
`3`	`3`	`# strategy = restrict`
`4`	`4`	`# complexity = low`