Bug 1658136
| Summary: | Rule audit_rules_kernel_module_loading checks for syscalls finit and create, but does not mention or remediate accordingly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Watson Yuuma Sato <wsato> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.6 | CC: | jcerny, mhaicman, openscap-maint, rmetrich, rmullett |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.43-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:04:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Watson Yuuma Sato
2018-12-11 10:39:05 UTC
A work around for this is to add manually the audit rules as follows: -a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules -a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules Fix for rule description: https://github.com/ComplianceAsCode/content/pull/3213 Fix for rhel7 remediation: https://github.com/ComplianceAsCode/content/pull/3553 Fix for rhel6 remediation: https://github.com/ComplianceAsCode/content/pull/3624 Granting devel ack because it's fixed by rebase to 0.1.43. *** Bug 1691912 has been marked as a duplicate of this bug. *** Verified for scap-security-guide-0.1.43-5.el7 by running upstream test scanarios: INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading INFO - Script syscalls_multiple_per_arg.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script syscalls_one_per_line.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script syscalls_one_per_arg.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2198 |