From 1b713da97f12c4a328c118ba30c4c44300cc9465 Mon Sep 17 00:00:00 2001
From: Ivo van Doorn <ivovandoorn@samotics.com>
Date: Thu, 16 Nov 2023 10:47:46 +0100
Subject: [PATCH 1/2] Ignore unknown syscalls on aarch64

The auditd rules as indicated in the CIS rules, don't work
on AL2023 Gravitron (aarch64) instances. The unavailable syscalls:
 - unlink
 - rename
 - creat
 - open
 - chown
 - lchown
 - chmod

For full consistency, I've updated the checks to support the previously
used auditd rule, and also added a second rule with the unavailable
syscall removed.

The stime syscall is also not available, but in cis-dil-benchmark-4.1.5
this syscall is already excluded from the line.

Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
---
 .../4_1_configure_system_accounting_auditd.rb | 48 ++++++++++++++++---
 1 file changed, 41 insertions(+), 7 deletions(-)

diff --git a/controls/4_1_configure_system_accounting_auditd.rb b/controls/4_1_configure_system_accounting_auditd.rb
index 90c72d2..9a58960 100644
--- a/controls/4_1_configure_system_accounting_auditd.rb
+++ b/controls/4_1_configure_system_accounting_auditd.rb
@@ -278,9 +278,25 @@
 
   uname = command('uname -m').stdout.strip
   if uname == 'x86_64' || uname == 'aarch64'
+    describe.one do
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      end
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      end
+    end
+
+    describe.one do
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      end
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchown -S fchownat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      end
+    end
+
     describe file('/etc/audit/audit.rules') do
-      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
-      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
       its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
     end
   end
@@ -303,9 +319,22 @@
 
   uname = command('uname -m').stdout.strip
   if uname == 'x86_64' || uname == 'aarch64'
-    describe file('/etc/audit/audit.rules') do
-      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
-      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+    describe.one do
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      end
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      end
+    end
+
+    describe.one do
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      end
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      end
     end
   end
 end
@@ -365,8 +394,13 @@
 
   uname = command('uname -m').stdout.strip
   if uname == 'x86_64' || uname == 'aarch64'
-    describe file('/etc/audit/audit.rules') do
-      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+    describe.one do
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+      end
+      describe file('/etc/audit/audit.rules') do
+        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlinkat -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+      end
     end
   end
 end

From 9b28e6577df88aeda9a7326dd7d49c59a7a80108 Mon Sep 17 00:00:00 2001
From: Ivo van Doorn <ivovandoorn@samotics.com>
Date: Thu, 16 Nov 2023 16:13:01 +0100
Subject: [PATCH 2/2] Split the x86_64 and aarch64 branches

Split the architecture branches, to force the the logging
of the correct syscalls for the each architecture.

Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
---
 .../4_1_configure_system_accounting_auditd.rb | 70 ++++++++-----------
 1 file changed, 30 insertions(+), 40 deletions(-)

diff --git a/controls/4_1_configure_system_accounting_auditd.rb b/controls/4_1_configure_system_accounting_auditd.rb
index 9a58960..6f121a8 100644
--- a/controls/4_1_configure_system_accounting_auditd.rb
+++ b/controls/4_1_configure_system_accounting_auditd.rb
@@ -277,26 +277,19 @@
   end
 
   uname = command('uname -m').stdout.strip
-  if uname == 'x86_64' || uname == 'aarch64'
-    describe.one do
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
-      end
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
-      end
-    end
-
-    describe.one do
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
-      end
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchown -S fchownat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
-      end
+  if uname == 'x86_64'
+    describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
     end
+  end
 
+  # For aarch64 the symbols chmod, chown and lchown are not available
+  if uname == 'aarch64'
     describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S fchown -S fchownat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
       its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
     end
   end
@@ -318,23 +311,18 @@
   end
 
   uname = command('uname -m').stdout.strip
-  if uname == 'x86_64' || uname == 'aarch64'
-    describe.one do
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
-      end
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
-      end
+  if uname == 'x86_64'
+    describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
     end
+  end
 
-    describe.one do
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
-      end
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
-      end
+  # For aarch64 the symbols creat and open are not available
+  if uname == 'aarch64'
+    describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
     end
   end
 end
@@ -393,14 +381,16 @@
   end
 
   uname = command('uname -m').stdout.strip
-  if uname == 'x86_64' || uname == 'aarch64'
-    describe.one do
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
-      end
-      describe file('/etc/audit/audit.rules') do
-        its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlinkat -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
-      end
+  if uname == 'x86_64'
+    describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+    end
+  end
+
+  # For aarch64 the symbols unlink and rename are not available
+  if uname == 'aarch64'
+    describe file('/etc/audit/audit.rules') do
+      its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlinkat -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
     end
   end
 end