Merge pull request #14059 from jan-cerny/issue14055

Group system calls in audit_rules_kernel_module_loading template

Author: ggbecker

docs/templates/template_reference.md

@@ -57,6 +57,8 @@
 
     -   **key** - audit key. If this isn't specified then the default value `perm_mod` is used.
 
+    -   **syscall_grouping** - a list of syscalls that can be grouped together in a single audit rule
+
 -   Languages: Ansible, Bash, OVAL, Kubernetes
 
 #### audit_rules_file_deletion_events
@@ -66,6 +68,8 @@
 
     -   **name** - value of `-S` argument in Audit rule, eg. `unlink`
 
+    -   **syscall_grouping** - a list of syscalls that can be grouped together in a single audit rule
+
 -   Languages: Ansible, Bash, OVAL
 
 #### audit_rules_kernel_module_loading
@@ -75,6 +79,8 @@
 
     -   **name** - value of `-S` argument in Audit rule, eg. `create_module`
 
+    -   **syscall_grouping** - a list of syscalls that can be grouped together in a single audit rule
+
 -   Languages: Ansible, Bash, Kubernetes, OVAL
 
 #### audit_rules_path_syscall
@@ -134,6 +140,8 @@
 
     -   **name** - name of the unsuccessful system call, eg. `creat`
 
+    -   **syscall_grouping** - a list of syscalls that can be grouped together in a single audit rule
+
 -   Languages: Ansible, Bash, OVAL
 
 #### audit_rules_unsuccessful_file_modification_o_creat

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml

@@ -36,3 +36,9 @@ template:
     name: audit_rules_kernel_module_loading
     vars:
         name: create_module
+        syscall_grouping:
+          - create_module
+          - delete_module
+          - finit_module
+          - init_module
+          - query_module

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml

@@ -54,3 +54,9 @@ template:
     name: audit_rules_kernel_module_loading
     vars:
         name: delete_module
+        syscall_grouping:
+          - create_module
+          - delete_module
+          - finit_module
+          - init_module
+          - query_module

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml

@@ -52,3 +52,9 @@ template:
     name: audit_rules_kernel_module_loading
     vars:
         name: finit_module
+        syscall_grouping:
+          - create_module
+          - delete_module
+          - finit_module
+          - init_module
+          - query_module

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml

@@ -53,3 +53,9 @@ template:
     name: audit_rules_kernel_module_loading
     vars:
         name: init_module
+        syscall_grouping:
+          - create_module
+          - delete_module
+          - finit_module
+          - init_module
+          - query_module

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml

@@ -32,3 +32,9 @@ template:
     name: audit_rules_kernel_module_loading
     vars:
         name: query_module
+        syscall_grouping:
+          - create_module
+          - delete_module
+          - finit_module
+          - init_module
+          - query_module

shared/templates/audit_rules_kernel_module_loading/ansible.template

@@ -28,17 +28,17 @@
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
       auid_filters=auid_filters,
-      syscalls=[NAME],
+      syscalls=NAME,
       key="modules",
-      syscall_grouping=[],
+      syscall_grouping=SYSCALL_GROUPING,
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
       auid_filters=auid_filters,
-      syscalls=[NAME],
+      syscalls=NAME,
       key="modules",
-      syscall_grouping=[],
+      syscall_grouping=SYSCALL_GROUPING,
       )|indent(4) }}}
 
 - name: {{{ rule_title }}} - Perform remediation of Audit rules for {{{ NAME }}} for 64bit platform
@@ -47,16 +47,16 @@
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
       auid_filters=auid_filters,
-      syscalls=[NAME],
+      syscalls=NAME,
       key="modules",
-      syscall_grouping=[],
+      syscall_grouping=SYSCALL_GROUPING,
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
       auid_filters=auid_filters,
-      syscalls=[NAME],
+      syscalls=NAME,
       key="modules",
-      syscall_grouping=[],
+      syscall_grouping=SYSCALL_GROUPING,
       )|indent(4) }}}
   when: audit_arch == "b64"

shared/templates/audit_rules_kernel_module_loading/bash.template

@@ -19,7 +19,7 @@ do
 	{{% endif %}}
 	SYSCALL="{{{ NAME }}}"
 	KEY="modules"
-	SYSCALL_GROUPING="{{{ NAME }}}"
+	SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
 	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}

shared/templates/audit_rules_kernel_module_loading/template.py

@@ -0,0 +1,18 @@
+def _audit_rules_kernel_module_loading(data, lang):
+    if lang == "bash":
+        if "syscall_grouping" in data:
+            # Make it easier to transform the syscall_grouping into a Bash array
+            data["syscall_grouping"] = " ".join(data["syscall_grouping"])
+    elif lang == "ansible":
+        if "name" in data:
+            # Transform the syscall into a Ansible list
+            # The syscall is under 'name'
+            data["name"] = [data["name"]]
+        if "syscall_grouping" not in data:
+            # Ensure that syscall_grouping is a list
+            data["syscall_grouping"] = []
+    return data
+
+
+def preprocess(data, lang):
+    return _audit_rules_kernel_module_loading(data, lang)