Bug 1667108
| Summary: | DISA profile doubles audit rules (with auid unset and 4294967295) and prevents augenrules to run | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Welterlen Benoit <bwelterl> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Černý <jcerny> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.6 | CC: | jcerny, mhaicman, openscap-maint, rmetrich |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.43-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:04:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The following patch should fix problems with addition of duplicated rules: https://github.com/ComplianceAsCode/content/pull/3692 Granting devel ack because it's fixed by rebase to 0.1.43. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2198 |
Description of problem: In RHEL 7.6, the DISA part of the scap-security-guide has been modified and now audit rules for privileged binaries are broken/doubled with auid!=unset and auid!=4294967295 This prevents augenrules to run and also the profile to be correctly verified. Version-Release number of selected component (if applicable): RHEL 7.6 (not in 7.5) How reproducible: Always Steps to Reproduce: 1. install RHEL 7.6 with DISA STIG profile 2. 3. Actual results: - augenrules fails to load rules: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [user1@localhost ~]$ systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-01-17 11:57:52 CET; 2h 7min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 4538 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 4522 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 4532 (auditd) CGroup: /system.slice/auditd.service ├─4532 /sbin/auditd ├─4534 /sbin/audispd └─4536 /usr/sbin/sedispatch Jan 17 11:57:52 localhost.localdomain augenrules[4538]: lost 0 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: backlog 0 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: enabled 1 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: failure 2 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- - because lot of rules doubled: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- - the STIG validation fails on this rule: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd Result fail Time 2019-01-16T23:33:33 Severity medium Identifiers and References Identifiers: CCE-80395-7 References: FAU_GEN.1.1.c, RHEL-07-030630, SV-86773r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 Description At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged Rationale Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: - System installed and configured with correct audit rules to answer to DISA STIGS requirement, and audit rules correctly loaded Additional info: