Merge pull request #14008 from Arden97/monitor_networkmanager

jan-cerny · web-flow · commit 9be46032e088 · 2025-10-17T08:41:04.000+02:00
Adding rules for /etc/hostname and NetworkManager auditd monitoring
diff --git a/components/audit.yml b/components/audit.yml
@@ -132,7 +132,9 @@ rules:
 - audit_rules_mac_modification_usr_share
 - audit_rules_media_export
 - audit_rules_networkconfig_modification
+- audit_rules_networkconfig_modification_hostname_file
 - audit_rules_networkconfig_modification_network_scripts
+- audit_rules_networkconfig_modification_networkmanager
 - audit_rules_privileged_commands
 - audit_rules_privileged_commands_apparmor_parser
 - audit_rules_privileged_commands_at
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -2611,11 +2611,11 @@ controls:
           - l2_server
           - l2_workstation
       status: partial
-      notes: |-
-          These rules are not covering "/etc/hostname" and "/etc/NetworkManager/".
       rules:
           - audit_rules_networkconfig_modification
+          - audit_rules_networkconfig_modification_hostname_file
           - audit_rules_networkconfig_modification_network_scripts
+          - audit_rules_networkconfig_modification_networkmanager
 
     - id: 6.3.3.6
       title: Ensure use of privileged commands are collected (Automated)
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_hostname_file/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_hostname_file/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Network Environment - /etc/hostname'
+
+description: |-
+    {{{ describe_audit_rules_watch("/etc/hostname", "audit_rules_networkconfig_modification_hostname_file") }}}
+
+rationale: |-
+    The network environment should not be modified by anything other
+    than administrator action. Any change to network parameters should be
+    audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86603-8
+
+ocil_clause: 'the system is not configured to audit changes of the network configuration'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its network configuration,
+    run the following command:
+    <pre>auditctl -l | grep -E '/etc/hostname'</pre>
+    If the system is configured to watch for network configuration changes, a line should
+    be returned and <tt>perm=wa</tt> should be indicated.
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: /etc/hostname
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_network_scripts/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Record Events that Modify the System''s Network Environment'
+title: 'Record Events that Modify the System''s Network Environment - /etc/sysconfig/network-scripts'
 
 description: |-
     {{{ describe_audit_rules_watch("/etc/sysconfig/network-scripts", "audit_rules_networkconfig_modification_network_scripts") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_networkmanager/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_networkmanager/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Network Environment - /etc/NetworkManager/'
+
+description: |-
+    {{{ describe_audit_rules_watch("/etc/NetworkManager", "audit_rules_networkconfig_modification_networkmanager") }}}
+
+rationale: |-
+    The network environment should not be modified by anything other
+    than administrator action. Any change to network parameters should be
+    audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86481-9
+
+ocil_clause: 'the system is not configured to audit changes of the network configuration'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its network configuration,
+    run the following command:
+    <pre>auditctl -l | grep -E '/etc/NetworkManager'</pre>
+    If the system is configured to watch for network configuration changes, a line should
+    be returned and <tt>perm=wa</tt> should be indicated.
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: /etc/NetworkManager
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -7,7 +7,6 @@ CCE-86465-2
 CCE-86466-0
 CCE-86468-6
 CCE-86469-4
-CCE-86481-9
 CCE-86482-7
 CCE-86483-5
 CCE-86484-3
@@ -37,7 +36,6 @@ CCE-86598-0
 CCE-86600-4
 CCE-86601-2
 CCE-86602-0
-CCE-86603-8
 CCE-86604-6
 CCE-86627-7
 CCE-86629-3
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -69,7 +69,9 @@ audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
 audit_rules_media_export
 audit_rules_networkconfig_modification
+audit_rules_networkconfig_modification_hostname_file
 audit_rules_networkconfig_modification_network_scripts
+audit_rules_networkconfig_modification_networkmanager
 audit_rules_privileged_commands
 audit_rules_privileged_commands_kmod
 audit_rules_privileged_commands_usermod
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -69,7 +69,9 @@ audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
 audit_rules_media_export
 audit_rules_networkconfig_modification
+audit_rules_networkconfig_modification_hostname_file
 audit_rules_networkconfig_modification_network_scripts
+audit_rules_networkconfig_modification_networkmanager
 audit_rules_privileged_commands
 audit_rules_privileged_commands_kmod
 audit_rules_privileged_commands_usermod
