🧹 Rework of Linux related queries focusing on robustness and using native resources #88
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@mm-weber @atomic111 I'd love to get this one into tomorrow's release. It would really help with container and k8s node scanning. |
|
Changing remediations to fit the checks |
b3e58d1 to
b0cf97f
Compare
… is enabled Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure auditing for processes that start prior to auditd is enabled++ Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure changes to system administration scope (sudoers) is collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,replaced command: Ensure changes to system administration scope (sudoers) is collected Signed-off-by: Manuel Weber <manuel@mondoo.com> added,regex: Ensure login and logout events are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure session initiation information is collected Signed-off-by: Manuel Weber <manuel@mondoo.com> added: manuel/linux-policy-improvements Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure events that modify date and time information are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure events that modify the systems Mandatory Access Controls are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure events that modify the systems network environment are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure unsuccessful unauthorized file access attempts are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex:Ensure discretionary access control permission modification events are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure events that modify user/group information are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure file deletion events by users are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure kernel module loading and unloading is collected Signed-off-by: Manuel Weber <manuel@mondoo.com> added: Ensure system administrator actions (sudolog) are collected Signed-off-by: Manuel Weber <manuel@mondoo.com> added: Ensure the audit configuration is immutable Signed-off-by: Manuel Weber <manuel@mondoo.com> regex start changed to include potential whitespace Signed-off-by: Manuel Weber <manuel@mondoo.com> regex end changed to include potential whitespace Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed,regex: Ensure sudo logging is enabled Signed-off-by: Manuel Weber <manuel@mondoo.com> fixed first remedeation Signed-off-by: Manuel Weber <manuel@mondoo.com> added remediation fixes Signed-off-by: Manuel Weber <manuel@mondoo.com> added remediation fixes++ Signed-off-by: Manuel Weber <manuel@mondoo.com> removed superflous description block Signed-off-by: Manuel Weber <manuel@mondoo.com> added remediation fixes+++ Signed-off-by: Manuel Weber <manuel@mondoo.com>
b0cf97f to
a2e34da
Compare
atomic111
approved these changes
Dec 6, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Improvement on many queries using native resources instead of the
commandresource.More robustness due to using regular expressions instead of plain text
.containsqueries.I intend to split
auditdrelated queries into a separate block ofscoring_queries:to avoid the repeated use of this construct:Would that be preferable?
** Overview of Commits **
Signed-off-by: Manuel Weber manuel@mondoo.com
fixed,regex: Ensure auditing for processes that start prior to auditd is enabled++
fixed,regex: Ensure changes to system administration scope (sudoers) is collected
fixed,replaced command: Ensure changes to system administration scope (sudoers) is collected
added,regex: Ensure login and logout events are collected
fixed,regex: Ensure session initiation information is collected
fixed,regex: Ensure events that modify date and time information are collected
fixed,regex: Ensure events that modify the systems Mandatory Access Controls are collected
fixed,regex: Ensure events that modify the systems network environment are collected
fixed,regex: Ensure unsuccessful unauthorized file access attempts are collected
fixed,regex:Ensure discretionary access control permission modification events are collected
fixed,regex: Ensure events that modify user/group information are collected
fixed,regex: Ensure file deletion events by users are collected
fixed,regex: Ensure kernel module loading and unloading is collected
added: Ensure system administrator actions (sudolog) are collected
added: Ensure the audit configuration is immutable
regex start changed to include potential whitespace
regex end changed to include potential whitespace
fixed,regex: Ensure sudo logging is enabled