Bug 1574586
| Summary: | OSCAP rule xccdf_org.ssgproject.content_rule_audit_rules_login_event remediation is not detected | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Zdenek Pytela <zpytela> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED ERRATA | QA Contact: | Gabriel Gaspar Becker <ggasparb> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.5 | CC: | cww, jomurphy, matyc, mhaicman, openscap-maint, rmetrich, wdh, wsato, yhuang |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | Flags: | lcervako:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.49-1.el7 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 19:52:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 2020-07-07 |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1594286 | ||
|
Description
Zdenek Pytela
2018-05-03 15:29:06 UTC
This might have been fixed, there are some patches upstream, we should check it: - https://github.com/ComplianceAsCode/content/pull/2628 - https://github.com/ComplianceAsCode/content/pull/3118 - https://github.com/ComplianceAsCode/content/pull/3232 The fix consists indeed in removing the trailing / in "/var/run/faillock/".
This has already been integrated into scap-security-guide-0.1.40-12.el7.noarch but th description of the rule has not been updated:
linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule:
description: |-
The audit system already collects login information for all users
and root. If the <tt>auditd</tt> daemon is configured to use the
<tt>augenrules</tt> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <tt>.rules</tt> in the
directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/run/faillock/ -p wa -k logins</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/run/faillock/ -p wa -k logins</pre>
--> see the trailing / above (2 occurrences)
Same for linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule
This confuses the user.
Description of rule audit_rules_login_events is fixed in https://github.com/ComplianceAsCode/content/pull/3232, shipped in 0.1.41 Description of rule audit_rules_login_events_faillock is fixed in https://github.com/ComplianceAsCode/content/commit/a46f13be3cc68f50f509f476a82972a8261a6886, shipped in 0.1.42 The remediations seem to have been fixed by patche above, but rule still errors in 7.7. Note from Basil, on https://bugzilla.redhat.com/show_bug.cgi?id=1723994, that can help fix this issue. "CCE-27129-6 appears to be a problem with the fix_audit_syscall_rule function. The function will return a 0 or 1 which determines the pass/fail of the CCE, and this function does not enter a case to change $retval to 1 if the rule exists." The remediation is fixed in upstream: https://github.com/ComplianceAsCode/content/pull/4886 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3909 |