From 8cf95c284e30262484c1e51477e6bcb84ea65a44 Mon Sep 17 00:00:00 2001
From: Maik Stuebner <Maik.Stuebner@t-systems.com>
Date: Fri, 23 Jul 2021 12:14:29 +0200
Subject: [PATCH 1/2] Add Check for auditd rules

and add NOTICE file for code reuse

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
---
 NOTICE              |  5 +++++
 controls/os_spec.rb | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 NOTICE

diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..c8b568e
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,5 @@
+DevSec Linux Baseline
+
+Huge parts of the audit rules in controls/os_spec.rb
+was created by Deutsche Telekom AG. (https://github.com/telekom/tel-it-security-automation/blob/21dacf83ab1245bf7c42c12d1d25292562599b79/hardening-linux-server/vars/main.yml & https://github.com/telekom/tel-it-security-automation)
+Copyright (c) 2020 Maximilian Hertstein [...] Deutsche Telekom AG
\ No newline at end of file
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
index ec2bbf9..f65d936 100644
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@@ -282,3 +282,43 @@
     end
   end
 end
+
+control 'os-15' do
+  impact 1.0
+  title 'Check auditd rules'
+  desc 'Check that the auditd rules are created and active'
+  output = command('auditctl -l')
+  describe output do
+    its(:stdout) { should match '-a always,exit -F arch=b64 -S execve' }
+    its(:stdout) { should match '-w /etc/localtime -p wa -k time-change' }
+    its(:stdout) { should match '-w /sbin/insmod -p x -k modules' }
+    its(:stdout) { should match '-w /etc/crontab' }
+    its(:stdout) { should match '-w /etc/sudoers -p wa -k scope' }
+    its(:stdout) { should match '-w /etc/passwd -p wa -k identity' }
+    its(:stdout) { should match '-w /var/log/audit/audit.log' }
+    its(:stdout) { should match '-w /etc/hosts -p wa -k system-locale' }
+    its(:stdout) { should match '-w /etc/ssh/sshd_config' }
+    if os.redhat? || os.name == 'amazon' || os.name == 'fedora'
+      its(:stdout) { should match '-w /usr/bin/yum -p x -k software_mgmt' }
+      its(:stdout) { should match '-w /etc/selinux/ -p wa -k MAC-policy' }
+    end
+    if os.suse?
+      its(:stdout) { should match '-w /usr/bin/zypper -p x -k software_mgmt' }
+    end
+    if os.debian?
+      its(:stdout) { should match '-w /usr/bin/apt-get -p x -k software_mgmt' }
+      its(:stdout) { should match '-w /var/log/system.log' }
+      its(:stdout) { should match '-w /etc/network/interfaces -p wa -k system-locale' }
+    end
+    if os.name == 'arch'
+      its(:stdout) { should match '-w /usr/bin/pacman -p x -k software_mgmt' }
+    end
+    if os.redhat? || os.name == 'amazon' || os.name == 'fedora' || os.suse?
+      its(:stdout) { should match '-w /var/log/messages' }
+      its(:stdout) { should match '-w /etc/sysconfig/network-scripts/ -p wa -k system-locale' }
+    end
+    if os.suse? || os.debian?
+      its(:stdout) { should match '-w /etc/apparmor/ -p wa -k MAC-policy' }
+    end
+  end
+end

From 92a6c851bb8f9de96e2cb6d1efb92c398f1bf0a2 Mon Sep 17 00:00:00 2001
From: Maik Stuebner <Maik.Stuebner@t-systems.com>
Date: Fri, 23 Jul 2021 15:00:32 +0200
Subject: [PATCH 2/2] Fix syntax of auditd checks

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
---
 controls/os_spec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/os_spec.rb b/controls/os_spec.rb
index f65d936..b754279 100644
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@@ -300,7 +300,7 @@
     its(:stdout) { should match '-w /etc/ssh/sshd_config' }
     if os.redhat? || os.name == 'amazon' || os.name == 'fedora'
       its(:stdout) { should match '-w /usr/bin/yum -p x -k software_mgmt' }
-      its(:stdout) { should match '-w /etc/selinux/ -p wa -k MAC-policy' }
+      its(:stdout) { should match '-w /etc/selinux -p wa -k MAC-policy' }
     end
     if os.suse?
       its(:stdout) { should match '-w /usr/bin/zypper -p x -k software_mgmt' }
@@ -315,10 +315,10 @@
     end
     if os.redhat? || os.name == 'amazon' || os.name == 'fedora' || os.suse?
       its(:stdout) { should match '-w /var/log/messages' }
-      its(:stdout) { should match '-w /etc/sysconfig/network-scripts/ -p wa -k system-locale' }
+      its(:stdout) { should match '-w /etc/sysconfig/network-scripts -p wa -k system-locale' }
     end
     if os.suse? || os.debian?
-      its(:stdout) { should match '-w /etc/apparmor/ -p wa -k MAC-policy' }
+      its(:stdout) { should match '-w /etc/apparmor -p wa -k MAC-policy' }
     end
   end
 end