Extend syscall rules for security policies

Added audit rules for new mount and Landlock-related syscalls—mount_setattr,
landlock_create_ruleset, landlock_add_rule, landlock_restrict_self, and
lsm_set_self_attr—in the OSPP policy set with a special-config-changes
key to track sensitive configuration activity.

Mirrored these syscall audits in the PCI-DSS policy rules using the
10.2.7-system-object key to align with PCI-DSS requirements for
system-level object changes.

Updated the STIG rule set to log mount_setattr alongside mount, ensuring
mount attribute changes are captured for STIG compliance.

Author: stevegrubb

rules/30-ospp-v42.rules

@@ -74,6 +74,18 @@
 -a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 
+## Capture mount and LSM attribute changes
+-a always,exit -F arch=b32 -S mount_setattr -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -S mount_setattr -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -S landlock_create_ruleset -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -S landlock_create_ruleset -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -S landlock_add_rule -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -S landlock_add_rule -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -S landlock_restrict_self -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -S landlock_restrict_self -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -S lsm_set_self_attr -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -S lsm_set_self_attr -F auid>=1000 -F auid!=unset -F key=special-config-changes
+
 ## Privilege escalation via su or sudo. This is entirely handled by pam.
 ## Special case for systemd-run. It is not audit aware, specifically watch it
 -a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation

rules/30-pci-dss-v31.rules

@@ -1,6 +1,6 @@
 ## The purpose of these rules is to meet the pci-dss v3.1 auditing requirements
-## These rules depends on having 10-base-config.rules & 99-finalize.rules
-## installed.
+## These rules depends on having 10-base-config.rules, 43-module-load.rules,
+## and 99-finalize.rules installed.
 
 ## NOTE:
 ## 1) if this is being used on a 32 bit machine, comment out the b64 lines
@@ -87,7 +87,22 @@
 ## These are handled implicitly by auditd
 
 ## 10.2.7 Creation and deletion of system-level objects
-## This requirement seems to be database table related and not audit
+## This requirement would include the database table holding user information.
+## but we will also define this to mean Kernel modules, security controls,
+## and system software. Changes to system software is implicitly met by
+## librpm so that using either rpm or dnf to install something results in an
+## audit event. We will place rules to meet the other items.
+## For kernel modules, include 43-module-load.rules
+-a always,exit -F arch=b32 -S mount_setattr -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b64 -S mount_setattr -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b32 -S landlock_create_ruleset -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b64 -S landlock_create_ruleset -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b32 -S landlock_add_rule -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b64 -S landlock_add_rule -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b32 -S landlock_restrict_self -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b64 -S landlock_restrict_self -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b32 -S lsm_set_self_attr -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
+-a always,exit -F arch=b64 -S lsm_set_self_attr -F auid>=1000 -F auid!=unset -F key=10.2.7-system-objects
 
 ## 10.3 Record at least the following audit trail entries
 ## 10.3.1 through 10.3.6 are implicitly met by the audit system.

rules/30-stig.rules

@@ -129,8 +129,8 @@
 ## You have to mount media before using it. You must disable all automounting
 ## so that its done manually in order to get the correct user requesting the
 ## export
--a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export
--a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export
+-a always,exit -F arch=b32 -S mount,mount_setattr -F auid>=1000 -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -S mount,mount_setattr -F auid>=1000 -F auid!=unset -F key=export
 
 ##- System startup and shutdown (unsuccessful and successful)