Bug 2119356
| Summary: | audit_rules_usergroup_modification_shadow don't remediate existing audit rule | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milan Lysonek <mlysonek> | |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> | |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Jaburek <jjaburek> | |
| Severity: | unspecified | Docs Contact: | Jan Fiala <jafiala> | |
| Priority: | unspecified | |||
| Version: | 8.7 | CC: | ggasparb, jafiala, jjaburek, lmanasko, mhaicman, mjahoda, mlysonek, vpolasek, wsato | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | scap-security-guide-0.1.66-1.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
.Scans and remediations correctly ignore SCAP Audit rules Audit key
Previously, Audit watch rules that were defined without an Audit key (`-k` or `-F` key) encountered the following problems:
* The rules were marked as non-compliant even if other parts of the rule were correct.
* Bash remediation fixed the path and permissions of the watch rule, but it did not add the Audit key correctly.
* Remediation sometimes did not fix the missing key, returning an `error` instead of a `fixed` value.
This affected the following rules:
* `audit_rules_login_events`
* `audit_rules_login_events_faillock`
* `audit_rules_login_events_lastlog`
* `audit_rules_login_events_tallylog`
* `audit_rules_usergroup_modification`
* `audit_rules_usergroup_modification_group`
* `audit_rules_usergroup_modification_gshadow`
* `audit_rules_usergroup_modification_opasswd`
* `audit_rules_usergroup_modification_passwd`
* `audit_rules_usergroup_modification_shadow`
* `audit_rules_time_watch_localtime`
* `audit_rules_mac_modification`
* `audit_rules_networkconfig_modification`
* `audit_rules_sysadmin_actions`
* `audit_rules_session_events`
* `audit_rules_sudoers`
* `audit_rules_sudoers_d`
With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. As a result, inconsistencies caused by the key field during checking and remediating no longer occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2120978 2123367 2168060 2168061 2168062 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 08:39:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2120978, 2123367, 2168060, 2168061, 2168062 | |||
|
Comment 3
Watson Yuuma Sato
2022-09-16 09:29:05 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2869 |