The DISA STIG profile for Red Hat Enterprise Linux 8 contains a new rule audit_rules_login_events_faillock, which references STIG ID RHEL-08-030590. The rule checks whether the audit daemon is configured to record any attempts to modify logon events logs stored in /var/log/faillock.
Description of problem:
From the stig-results.xml found that this benchmark (RHEL-08-030590 | CCE-80718-0 | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected:
<rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000">
<result>notselected</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident>
</rule-result>
and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Is there an ETA on when this benchmark will be included or a status update for this?
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8.noarch
How reproducible:
Always
Steps to Reproduce:
1. Install scap-security-guide-0.1.63-4.el8.noarch
2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Actual results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile
Expected results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile
Additional info:
https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile
~~~
# RHEL-08-030590
# This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
# implemented as it is the one that configures a different path for the events of failing locks
# - audit_rules_login_events_faillock
~~~
Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"):
https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml
~~~
- id: RHEL-08-030590
levels:
- medium
title: Successful/unsuccessful modifications to the faillock log file in RHEL 8
must generate an audit record.
status: pending
~~~
Found the audit_rules_login_events_faillock here:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
~~~
{{% if product in ["ol8","ol9","rhel8", "rhel9"] %}}
{{% set faillock_path = "/var/log/faillock" %}}
{{% else %}}
{{% set faillock_path = "/var/run/faillock" %}}
{{% endif %}}
documentation_complete: true
...
ocil_clause: 'the command does not return a line, or the line is commented out'
ocil: |-
Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
$ sudo auditctl -l | grep /var/run/faillock
-w /var/run/faillock -p wa -k logins
template:
name: audit_rules_login_events
vars:
path: {{{ faillock_path }}}
fixtext: |-
{{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
~~~
This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path. (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)
Description of problem: From the stig-results.xml found that this benchmark (RHEL-08-030590 | CCE-80718-0 | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected: <rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000"> <result>notselected</result> <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident> </rule-result> and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Is there an ETA on when this benchmark will be included or a status update for this? Version-Release number of selected component (if applicable): scap-security-guide-0.1.63-4.el8.noarch How reproducible: Always Steps to Reproduce: 1. Install scap-security-guide-0.1.63-4.el8.noarch 2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Actual results: xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile Expected results: xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile Additional info: https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile ~~~ # RHEL-08-030590 # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be # implemented as it is the one that configures a different path for the events of failing locks # - audit_rules_login_events_faillock ~~~ Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"): https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml ~~~ - id: RHEL-08-030590 levels: - medium title: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. status: pending ~~~ Found the audit_rules_login_events_faillock here: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ~~~ {{% if product in ["ol8","ol9","rhel8", "rhel9"] %}} {{% set faillock_path = "/var/log/faillock" %}} {{% else %}} {{% set faillock_path = "/var/run/faillock" %}} {{% endif %}} documentation_complete: true ... ocil_clause: 'the command does not return a line, or the line is commented out' ocil: |- Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep /var/run/faillock -w /var/run/faillock -p wa -k logins template: name: audit_rules_login_events vars: path: {{{ faillock_path }}} fixtext: |- {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}} srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}' ~~~ This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path. (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)