Bug 2119356

Summary: audit_rules_usergroup_modification_shadow don't remediate existing audit rule
Product: Red Hat Enterprise Linux 8 Reporter: Milan Lysonek <mlysonek>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.7CC: ggasparb, jafiala, jjaburek, lmanasko, mhaicman, mjahoda, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: Bug Fix
Doc Text:
.Scans and remediations correctly ignore SCAP Audit rules Audit key Previously, Audit watch rules that were defined without an Audit key (`-k` or `-F` key) encountered the following problems: * The rules were marked as non-compliant even if other parts of the rule were correct. * Bash remediation fixed the path and permissions of the watch rule, but it did not add the Audit key correctly. * Remediation sometimes did not fix the missing key, returning an `error` instead of a `fixed` value. This affected the following rules: * `audit_rules_login_events` * `audit_rules_login_events_faillock` * `audit_rules_login_events_lastlog` * `audit_rules_login_events_tallylog` * `audit_rules_usergroup_modification` * `audit_rules_usergroup_modification_group` * `audit_rules_usergroup_modification_gshadow` * `audit_rules_usergroup_modification_opasswd` * `audit_rules_usergroup_modification_passwd` * `audit_rules_usergroup_modification_shadow` * `audit_rules_time_watch_localtime` * `audit_rules_mac_modification` * `audit_rules_networkconfig_modification` * `audit_rules_sysadmin_actions` * `audit_rules_session_events` * `audit_rules_sudoers` * `audit_rules_sudoers_d` With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. As a result, inconsistencies caused by the key field during checking and remediating no longer occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier.
Story Points: ---
Clone Of:
: 2120978 2123367 2168060 2168061 2168062 (view as bug list) Environment:
Last Closed: 2023-05-16 08:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2120978, 2123367, 2168060, 2168061, 2168062    

Comment 3 Watson Yuuma Sato 2022-09-16 09:29:05 UTC
https://github.com/ComplianceAsCode/content/pull/9463

Comment 29 errata-xmlrpc 2023-05-16 08:39:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869