| Summary: | rule file_ownership_var_log_audit has wrong description | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Haicman <mhaicman> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | mhaicman, mpreisle, openscap-maint, rsprudencio |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-12 16:13:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The description of the rule already scopes other files: "<description>Checks that all /var/log/audit files and directories are owned by the root user and group.</description>" Is this BZ outdated or you think this description is not enough? It mentions audit files and directories. About the second issue, there are a specific list of possible results: pass, fail, error, unknown, notapplicable, notchecked, notselected, informational, fixed. As the config itself can be sitting in any place, it's hard to scope those scenarios with custom configurations, It's possible to try to find such file and then work on it afterwards, but there would be no guarantee that it's the right file, so it's a tricky problem with no obvious solution IMHO. I think this would need a Tailoring file or something like that, what do think? Proposed fix at https://github.com/OpenSCAP/scap-security-guide/pull/1746 The proposed fix above scopes only the second problem. We are not currently supporting customized paths for log files for this rule. As the customized paths for log files are something we don't generally support. I am accepting the description update as the fix of this bugzilla. It has been fixed in RHEL7.4 |
Description of problem: First issue is that description of the rule is hinting to fix /var/log directory, but the rule explicitly checks for /var/log/audit and /var/log/audit/audit.cfg Second problem is, that location of the audit log file is defined in the conf file, thus this rule should at least tell admin she is supposed to check it herself. Version-Release number of selected component (if applicable): scap-security-guide-0.1.30-3.el7.noarch How reproducible: reliably Steps to Reproduce: 1. change log_file in /etc/audit/auditd.conf to /var/log/audit2.cfg 2. chown root:root /var/log/audit{,/audit.cfg} 3. touch /var/log/audit2.cfg 4. chown test:test /var/log/audit2.cfg 5. run pci-dss scan 6. open report and the rule itself Actual results: 1. description is about /var/log 2. file tested for ownership is still default one /var/log/audit/audit.cfg, thus rule is passed Expected results: 1. description is more relevant to the rule itself 2. when log_file parameter is changed, either check new location, or raise "informational" with note that user needs to check it manually