From 644c1c79b5a5badd9125b3de61e9920789a552da Mon Sep 17 00:00:00 2001
From: Yuqing Yang <yyq01323329@alibaba-inc.com>
Date: Wed, 15 Nov 2023 15:31:13 +0800
Subject: [PATCH] Fix the following two benchmark bug:
 2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected
 2.23-ensure-that-events-that-modify-user-group-information-are-collected The
 previous descriptions in benchmark, remediation-kits, scanners do not
 correspond to the code.

Signed-off-by: Yuqing Yang <yyq01323329@alibaba-inc.com>
---
 ...-management-scope-sudoers-are-collected.md | 36 +++++++------------
 ...fy-user-group-information-are-collected.md | 34 ++++++++++++------
 ...-management-scope-sudoers-are-collected.sh | 14 +++-----
 ...fy-user-group-information-are-collected.sh | 14 +++++---
 ...-management-scope-sudoers-are-collected.sh | 14 +++-----
 ...fy-user-group-information-are-collected.sh | 14 +++++---
 6 files changed, 63 insertions(+), 63 deletions(-)

diff --git a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
index 10d12ea..219ec2e 100644
--- a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
+++ b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
@@ -15,8 +15,8 @@
 运行以下命令，配置审计服务，确保收集对系统管理范围（sudoers）的更改：
 
 ```bash
-# echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
-# echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
+# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
+# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
 ```
 
 ## 扫描检测
@@ -26,28 +26,16 @@
 执行以下命令，检查对系统管理范围（sudoers）的审计收集是否正确配置：
 
 ```bash
-# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
-\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
-\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
-
-# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
-\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
-\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
+# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
+\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
+
+# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
+\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
 ```
 
 如输出结果符合预期，则视为通过此项检查。
-## 参考
+## 参考
\ No newline at end of file
diff --git a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
index 5940c3f..21dd00e 100644
--- a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
+++ b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
@@ -15,8 +15,8 @@
 运行以下命令，配置审计服务，确保收集对用户/组信息的修改事件：
 
 ```bash
-# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
-# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
+# echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
+# echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
 ```
 
 ## 扫描检测
@@ -26,15 +26,27 @@
 执行以下命令，检查对用户/组信息的修改审计收集是否正确配置：
 
 ```bash
-# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
-\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules
--w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope
-
-# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
-\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules
--w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope
+# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
+\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
+\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
+\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
+\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
 ```
 
 如输出结果符合预期，则视为通过此项检查。
diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
index b331cca..d106118 100644
--- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
+++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
@@ -1,10 +1,4 @@
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
index d106118..fcf6eb1 100644
--- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
+++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
@@ -1,4 +1,10 @@
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
index 30de77b..61a6f43 100644
--- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
+++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
@@ -1,17 +1,11 @@
 result=false
 
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
 else
     echo "fail"
-fi
+fi
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
index ec29b97..9851c6a 100644
--- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
+++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
@@ -1,11 +1,17 @@
 result=false
 
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
 else
     echo "fail"
-fi
+fi
\ No newline at end of file
-- 
Gitee