Bug 2123367

Summary: audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: ggasparb, kpfleming, mhaicman, mlysonek, qe-baseos-security, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: scap-security-guide-0.1.66-1.el7_9 Doc Type: Bug Fix
Doc Text:
Cause: If an Audit watch rule was defined without an Audit key (-k or -F key), it would be marked as non-compliant even if other parts of the rule were correct. Moreover, Bash remediation would fix the path and permissions of the watch rule, but it would not add the key correctly. Consequence: Following rules could be marked as non-compliant eventhough they would be techincally correct (except for the key parameter which is not important for auditing). * `audit_rules_login_events` * `audit_rules_login_events_faillock` * `audit_rules_login_events_lastlog` * `audit_rules_login_events_tallylog` * `audit_rules_usergroup_modification` * `audit_rules_usergroup_modification_group` * `audit_rules_usergroup_modification_gshadow` * `audit_rules_usergroup_modification_opasswd` * `audit_rules_usergroup_modification_passwd` * `audit_rules_usergroup_modification_shadow` * `audit_rules_time_watch_localtime` * `audit_rules_mac_modification` * `audit_rules_networkconfig_modification` * `audit_rules_sysadmin_actions` * `audit_rules_session_events` * `audit_rules_sudoers` * `audit_rules_sudoers_d` Moreover, in some cases remediation would not fix the missing key, resultin gin an "error" instead of "fixed" return value. Fix: The key (represented by -k or -F key in the rule definition) is not taken into account anymore neither when checking nor when applying Bash or Ansible remediation. As mentioned above, the key is here mainly for human auditors to ease searching in Audit logs and therefore they should be able to choose it arbitrarily. Result: Inconsistencies caused by the key field during checking and remediating are no longer present.
Story Points: ---
Clone Of: 2119356 Environment:
Last Closed: 2023-03-07 09:54:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2119356    
Bug Blocks: 2120978    

Comment 2 Watson Yuuma Sato 2022-10-04 15:42:30 UTC

Comment 17 errata-xmlrpc 2023-03-07 09:54:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.