Do not expect auditd rules for obsolete syscalls on arm64/aarch64 architecture

[pfuntner]

Share the context

ComplianceAsCode v0.1.76 does not do a thorough test of auditd rules. By only looking at /etc/audit/* files, false positives are possible for an arm64 architecture system when there are audit rules for syscalls chmod(), chown(), creat(), lchown(), open(), rename(), unlink() and rmdir() which are obsolete.

Description of problem:

An Ubuntu 22 system running on arm64 architecture and hardened to pass the ComplianceAsCode v0.1.76 tests will have audit rules that can't be loaded:

root@ip-172-31-61-197:~# grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
root@ip-172-31-61-197:~# arch
aarch64
root@ip-172-31-61-197:~# grep -rw chmod /etc/audit
/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
root@ip-172-31-61-197:~# auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid\>=1000 -F auid!=4294967295 -k perm_mod
Syscall name unknown: chmod
root@ip-172-31-61-197:~# auditctl -a always,exit -F arch=b64 -S fchmod -S fchmodat -F auid\>=1000 -F auid!=4294967295 -k perm_mod
root@ip-172-31-61-197:~#

auditd will stop loading rules by default in such a situation and fail to load subsequent rules in /etc/audit/audit.rules leading to an incomplete set of rules.

If the obsolete syscalls are removed, auditd will load all of the rules but ComplianceAsCode tests for the obsolete syscalls fail:

• xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
• xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
• xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
• xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
• xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
• xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
• xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
• xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink

OpenSCAP reports

• OpenSCAP report with obsolete rules and no failures.html
• OpenSCAP report without obsolete rules but failures.html

Proposed changes:

1. Improve tests to also check that the rules are present in auditctl -l
2. Do not expect arch=b64 rules for obsolete syscalls on arm64 architecture

References:

1. Closely related to audit-rules service fails due to unsupported rule group on aarch64 #14196

[Mab879]

Thanks for opening this issue.

Version 0.1.76 is nearly a year old, so something may have changed. I am not responsible for the Ubuntu package, @ComplianceAsCode/ubuntu-maintainers might have more information on the package's update cycle.

I did quick check using 0.1.79 on RHEL, all of the above rules returned notapplicable. Based on my quick spot check, those above rules should be notapplicable for Ubuntu as well.

Can you please test with content from our latest Releases and see if you can reproduce?

Testing using auditctl or any external command currently isn't easy since this project uses OVAL not scripts for cheeking.