update controls and github action

pwong2021 · pwong2021 · commit 6e36d4ee3738 · 2026-05-19T14:29:03.000-07:00
diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml
@@ -15,7 +15,7 @@ jobs:
       CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
       KITCHEN_LOCAL_YAML: kitchen.container.yml
       LC_ALL: "en_US.UTF-8"
-      PLATFORM: "ubuntu-20.04"
+      PLATFORM: "ubuntu-20"
       HARDENED_CONTAINER_IMAGE: "registry1.dso.mil/ironbank/canonical/ubuntu-pro-stig:20.04-fips_stable"
       VANILLA_CONTAINER_IMAGE: "ubuntu:20.04"
     strategy:
diff --git a/.github/workflows/verify-lxd-vm.yml b/.github/workflows/verify-lxd-vm.yml
@@ -14,8 +14,6 @@ jobs:
       CHEF_LICENSE: accept-silent
       CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
       KITCHEN_LOCAL_YAML: kitchen.lxd.yml
-      SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }}
-      SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }}
       PLATFORM: "ubuntu-20"
       LC_ALL: "en_US.UTF-8"
       LXD_IMAGE: "ubuntu:20.04"
@@ -25,10 +23,8 @@ jobs:
         suite: ["vanilla", "hardened"]
       fail-fast: false
     steps:
-      - name: add needed packages
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install jq
+      - name: Install host packages
+        run: sudo apt-get update && sudo apt-get -y install jq
 
       - name: Install LXD
         run: |
diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb
@@ -39,34 +39,18 @@
   tag nist: ['AU-12 c']
   tag 'host'
 
-  if virtualization.system.eql?('docker')
-    impact 0.0
-    describe 'Control not applicable to a container' do
-      skip 'Control not applicable to a container'
-    end
-  else
-    @audit_file = '/var/log/tallylog'
-
-    audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?
-    if audit_lines_exist
-      describe auditd.file(@audit_file) do
-        its('permissions') { should_not cmp [] }
-        its('action') { should_not include 'never' }
-      end
-
-      @perms = auditd.file(@audit_file).permissions
-
-      @perms.each do |perm|
-        describe perm do
-          it { should include 'w' }
-          it { should include 'a' }
-        end
-      end
-    else
-      describe("Audit line(s) for #{@audit_file} exist") do
-        subject { audit_lines_exist }
-        it { should be true }
-      end
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !%w[docker podman kubepods lxc].include?(virtualization.system)
+  }
+
+  audit_command = '/var/log/tallylog'
+
+  describe 'Command' do
+    it "#{audit_command} is audited properly" do
+      audit_rule = auditd.file(audit_command)
+      expect(audit_rule).to exist
+      expect(audit_rule.permissions.flatten).to include('w', 'a')
+      expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])
     end
   end
 end
diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb
@@ -36,34 +36,18 @@
   tag nist: ['AU-12 c']
   tag 'host'
 
-  if virtualization.system.eql?('docker')
-    impact 0.0
-    describe 'Control not applicable to a container' do
-      skip 'Control not applicable to a container'
-    end
-  else
-    @audit_file = '/var/log/wtmp'
-
-    audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?
-    if audit_lines_exist
-      describe auditd.file(@audit_file) do
-        its('permissions') { should_not cmp [] }
-        its('action') { should_not include 'never' }
-      end
-
-      @perms = auditd.file(@audit_file).permissions
-
-      @perms.each do |perm|
-        describe perm do
-          it { should include 'w' }
-          it { should include 'a' }
-        end
-      end
-    else
-      describe("Audit line(s) for #{@audit_file} exist") do
-        subject { audit_lines_exist }
-        it { should be true }
-      end
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !%w[docker podman kubepods lxc].include?(virtualization.system)
+  }
+
+  audit_command = '/var/log/wtmp'
+
+  describe 'Command' do
+    it "#{audit_command} is audited properly" do
+      audit_rule = auditd.file(audit_command)
+      expect(audit_rule).to exist
+      expect(audit_rule.permissions.flatten).to include('w', 'a')
+      expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])
     end
   end
 end
diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb
@@ -36,34 +36,18 @@
   tag nist: ['AU-12 c']
   tag 'host'
 
-  if virtualization.system.eql?('docker')
-    impact 0.0
-    describe 'Control not applicable to a container' do
-      skip 'Control not applicable to a container'
-    end
-  else
-    @audit_file = '/var/run/wtmp'
-
-    audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?
-    if audit_lines_exist
-      describe auditd.file(@audit_file) do
-        its('permissions') { should_not cmp [] }
-        its('action') { should_not include 'never' }
-      end
-
-      @perms = auditd.file(@audit_file).permissions
-
-      @perms.each do |perm|
-        describe perm do
-          it { should include 'w' }
-          it { should include 'a' }
-        end
-      end
-    else
-      describe("Audit line(s) for #{@audit_file} exist") do
-        subject { audit_lines_exist }
-        it { should be true }
-      end
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !%w[docker podman kubepods lxc].include?(virtualization.system)
+  }
+
+  audit_command = '/var/run/utmp'
+
+  describe 'Command' do
+    it "#{audit_command} is audited properly" do
+      audit_rule = auditd.file(audit_command)
+      expect(audit_rule).to exist
+      expect(audit_rule.permissions.flatten).to include('w', 'a')
+      expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])
     end
   end
 end
diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb
@@ -36,34 +36,18 @@
   tag nist: ['AU-12 c']
   tag 'host'
 
-  if virtualization.system.eql?('docker')
-    impact 0.0
-    describe 'Control not applicable to a container' do
-      skip 'Control not applicable to a container'
-    end
-  else
-    @audit_file = '/var/log/btmp'
-
-    audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?
-    if audit_lines_exist
-      describe auditd.file(@audit_file) do
-        its('permissions') { should_not cmp [] }
-        its('action') { should_not include 'never' }
-      end
-
-      @perms = auditd.file(@audit_file).permissions
-
-      @perms.each do |perm|
-        describe perm do
-          it { should include 'w' }
-          it { should include 'a' }
-        end
-      end
-    else
-      describe("Audit line(s) for #{@audit_file} exist") do
-        subject { audit_lines_exist }
-        it { should be true }
-      end
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !%w[docker podman kubepods lxc].include?(virtualization.system)
+  }
+
+  audit_command = '/var/log/btmp'
+
+  describe 'Command' do
+    it "#{audit_command} is audited properly" do
+      audit_rule = auditd.file(audit_command)
+      expect(audit_rule).to exist
+      expect(audit_rule.permissions.flatten).to include('w', 'a')
+      expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])
     end
   end
 end
diff --git a/inspec.yml b/inspec.yml
@@ -237,7 +237,8 @@ inputs:
       '/var/spool/cron'               : 'cronjobs',
       '/usr/bin/sudoedit'             : 'priv_cmd',
       '/var/log/faillog'              : 'logins',
-      '/usr/sbin/fdisk'               : 'fdisk'
+      '/usr/sbin/fdisk'               : 'fdisk',
+      '/var/log/tallylog'             : 'logins'
     }
 
   # Default values for expected keynames for all audit rules
@@ -379,93 +380,4 @@ inputs:
     description: Number of permitted concurrent sessions on this system
     type: Numeric
     value: 10
-
-  - name: audit_rule_keynames
-    description: The audit rules to be applied to the system
-    type: Hash
-    value: {
-      'execve'                        : 'execpriv',
-      '/etc/shadow'                   : 'usergroup_modification',
-      '/etc/security/opasswd'         : 'usergroup_modification',
-      '/etc/passwd'                   : 'usergroup_modification',
-      '/etc/gshadow'                  : 'usergroup_modification',
-      '/etc/group'                    : 'usergroup_modification',
-      '/etc/sudoers'                  : 'identity',
-      '/etc/sudoers.d'                : 'identity',
-      '/bin/su'                       : 'privileged-priv_change',
-      'setxattr'                      : 'perm_mod',
-      'fsetxattr'                     : 'perm_mod',
-      'lsetxattr'                     : 'perm_mod',
-      'removexattr'                   : 'perm_mod',
-      'fremovexattr'                  : 'perm_mod',
-      'lremovexattr'                  : 'perm_mod',
-      '/usr/bin/chage'                : 'privileged-chage',
-      '/usr/bin/chcon'                : 'perm_mod',
-      '/usr/bin/ssh-agent'            : 'privileged-ssh',
-      '/usr/bin/passwd'               : 'privileged-passwd',
-      '/usr/bin/mount'                : 'privileged-mount',
-      '/usr/bin/umount'               : 'privileged-umount',
-      '/sbin/unix_update'             : 'privileged-unix-update',
-      '/usr/lib/openssh/ssh-keysign'  : 'privileged-ssh',
-      '/usr/bin/setfacl'              : 'perm_mod',
-      '/usr/sbin/pam_timestamp_check' : 'privileged-pam_timestamp_check',
-      '/usr/bin/newgrp'               : 'priv_cmd',
-      'init_module'                   : 'module_chng',
-      'finit_module'                  : 'module_chng',
-      'rename'                        : 'delete',
-      'unlink'                        : 'delete',
-      'rmdir'                         : 'delete',
-      'renameat'                      : 'delete',
-      'unlinkat'                      : 'delete',
-      '/usr/bin/gpasswd'              : 'privileged-gpasswd',
-      'delete_module'                 : 'module_chng',
-      '/usr/bin/crontab'              : 'privileged-crontab',
-      '/usr/bin/chsh'                 : 'priv_cmd',
-      'truncate'                      : 'perm_access',
-      'ftruncate'                     : 'perm_access',
-      'creat'                         : 'perm_access',
-      'open'                          : 'perm_access',
-      'openat'                        : 'perm_access',
-      'open_by_handle_at'             : 'perm_access',
-      'chown'                         : 'perm_mod',
-      'chmod'                         : 'perm_chng',
-      'fchmod'                        : 'perm_chng',
-      'fchmodat'                      : 'perm_chng',
-      '/usr/bin/sudo'                 : 'priv_cmd',
-      '/usr/sbin/usermod'             : 'privileged-usermod',
-      '/usr/bin/chacl'                : 'perm_mod',
-      '/bin/kmod'                     : 'modules',
-      '/sbin/modprobe'                : 'modules',
-      '/sbin/apparmor_parser'         : 'perm_chng',
-      '/usr/bin/chfn'                 : 'privileged-chfn',
-      '/var/log/lastlog'              : 'logins',
-      '/var/log/btmp'                 : 'logins',
-      '/var/log/wtmp'                 : 'logins',
-      '/var/run/utmp'                 : 'logins',
-      '/var/log/sudo.log'             : 'maintenance',
-      '/etc/cron.d'                   : 'cronjobs',
-      '/var/spool/cron'               : 'cronjobs',
-      '/usr/bin/sudoedit'             : 'priv_cmd',
-      '/var/log/faillog'              : 'logins',
-      '/usr/sbin/fdisk'               : 'fdisk'
-    }
-
-  
-  # Default values for expected keynames for all audit rules
-  # NOTE: DO NOT override this hash
-  # If you need to override these values, do so via adding the desired key/value to
-  # the `audit_rule_keynames_overrides` input instead -- overriding `audit_rule_keynames`
-  # directly will lose the values for any key you do not explictly define.
-  # SV-270684, SV-270685, SV-270686, SV-270687, SV-270688, SV-270689, SV-270715, SV-270740, SV-270778, SV-270779, SV-270780, SV-270781, SV-270782, SV-270783, SV-270784, SV-270785, SV-270786, SV-270787, SV-270788, SV-270789, SV-270790, SV-270791, SV-270792, SV-270793, SV-270794, SV-270795, SV-270796, SV-270797, SV-270798, SV-270799, SV-270800, SV-270801, SV-270802, SV-270803, SV-270804, SV-270805, SV-270806, SV-270807, SV-270808, SV-270809, SV-270810, SV-270811, SV-270812, SV-270813, SV-270814, SV-270815, SV-274870
-  - name: audit_rule_keynames_overrides
-    description: The audit rules to be applied to the system
-    type: Hash
-    value: {
-      '/etc/sudoers.d'                : 'privilege_modification',
-      '/etc/sudoers'                  : 'privilege_modification',
-      '/var/log/journal'              : 'systemd_journal',
-      'chown'                         : 'perm_chng',
-      '/usr/bin/chacl'                : 'perm_chng',
-      '/usr/bin/chcon'                : 'perm_chng',
-      '/usr/bin/setfacl'              : 'perm_chng',
-    }
+  
