Bug 2151553

Summary: Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids)
Product: Red Hat Enterprise Linux 8 Reporter: Welterlen Benoit <bwelterl>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.6CC: ggasparb, jafiala, jjaburek, mhaicman, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: Bug Fix
Doc Text:
.`scap-security-guide` STIG profiles no longer require specific text in `/etc/audit/rules.d/11-loginuid.rules` Previously, the SCAP rule `audit_immutable_login_uids` used in RHEL 8 profiles `stig` and `stig_gui` passed only if file `/etc/audit/rules.d/11-loginuid.rules` contained exact text. This is, however, not necessary to fulfill the STIG requirement (RHEL-08-030122). With this update, the new rule `audit_rules_immutable_login_uids` replaces `audit_immutable_login_uids` in RHEL 8 `stig` and `stig_gui` profiles. As a result, you can now specify the `--loginuid-immutable` parameter that fulfills the rule in any file with the `.rules` extension within the `/etc/audit/rules.d` directory or in the `/etc/audit/audit.rules` file, depending on usage of `auditctl` or `augen-rules`.
 Story Points: ---
Clone Of:
: 2168063 2168064 2168065 (view as bug list) Environment:
Last Closed: 2023-05-16 08:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2168063, 2168064, 2168065    

Description Welterlen Benoit 2022-12-07 13:51:16 UTC 
Description of problem:
For rules that expect a specific configuration for audit, the scan is done on specific files, and not in all audit config file or /etc/audit/audit.rules that will be really used by auditctl.

Ex:

xccdf_org.ssgproject.content_rule_audit_immutable_login_uids

The rule requires --loginuid-immutable to be present in audit rule config.

It checks /etc/audit/rules.d/11-loginuid.rules and fails if --loginuid-immutable  is somewhere else.

Version-Release number of selected component (if applicable):
RHEL8
scap-security-guide-0.1.60-7.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. put --loginuid-immutable in /etc/audit/rules.d/test_loginuid.rules
2. run oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
3.

Actual results:
Test rule fails even if --loginuid-immutable is set

Expected results:
Test pass if --loginuid-immutable is set somewhere

Additional info:
Why the real used file used by auditctl /etc/audit/audit.rules is not used to check if the option is set ?
Comment 1 Welterlen Benoit 2022-12-07 14:28:54 UTC 
I have also to add that if the exact content of the sample file /usr/share/audit/sample-rules/11-loginuid.rules is not in the tested file, it fails also (the comment included ...)
I think only the required option should be tested.

Thanks !
Comment 3 Vojtech Polasek 2023-01-18 09:37:13 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/10070
Comment 25 errata-xmlrpc 2023-05-16 08:39:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869