Bug 2167999

Summary: content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile
Product: Red Hat Enterprise Linux 8 Reporter: ckrell
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact: Petr Hybl <phybl>
Priority: medium    
Version: 8.7CC: ggasparb, jcerny, jjaburek, maburgha, matyc, mhaicman, mjahoda, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Enhancement
Doc Text:
.The DISA STIG profile now supports `audit_rules_login_events_faillock` With this enhancement, the SCAP Security Guide `audit_rules_login_events_faillock` rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the `/var/log/faillock` directory.
 Story Points: ---
Clone Of:
: 2228455 2228456 (view as bug list) Environment:
Last Closed: 2023-11-14 15:36:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228455, 2228456    

Description ckrell 2023-02-08 01:41:48 UTC 
Description of problem:

From the stig-results.xml found that this benchmark (RHEL-08-030590 |  CCE-80718-0  | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected:

    <rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000">
      <result>notselected</result>
      <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident>
    </rule-result>

and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 

Is there an ETA on when this benchmark will be included or a status update for this?

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install scap-security-guide-0.1.63-4.el8.noarch
2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 

Actual results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile

Expected results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile

Additional info:

https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile
~~~
    # RHEL-08-030590
    # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
    # implemented as it is the one that configures a different path for the events of failing locks
    # - audit_rules_login_events_faillock
~~~

Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"):
https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml
~~~
    -   id: RHEL-08-030590
        levels:
            - medium
        title: Successful/unsuccessful modifications to the faillock log file in RHEL 8
            must generate an audit record.
        status: pending
~~~
Found the audit_rules_login_events_faillock here:

https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
~~~
{{% if product in ["ol8","ol9","rhel8", "rhel9"] %}}
{{% set faillock_path = "/var/log/faillock" %}}
{{% else %}}
{{% set faillock_path = "/var/run/faillock" %}}
{{% endif %}}
documentation_complete: true
...
ocil_clause: 'the command does not return a line, or the line is commented out'

ocil: |-
    Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
    $ sudo auditctl -l | grep /var/run/faillock
    -w /var/run/faillock -p wa -k logins
template:
    name: audit_rules_login_events
    vars:
        path: {{{ faillock_path }}}

fixtext: |-
    {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
~~~

This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path.  (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)
Comment 2 Jan Černý 2023-07-10 14:43:35 UTC 
A fix has been submitted to review in https://github.com/ComplianceAsCode/content/pull/10816.
Comment 3 Marcus Burghardt 2023-07-11 08:30:48 UTC 
PR is merged in Upstream:
https://github.com/ComplianceAsCode/content/pull/10816
Comment 18 errata-xmlrpc 2023-11-14 15:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056