.The DISA STIG profile now supports `audit_rules_login_events_faillock`
With this enhancement, the SCAP Security Guide `audit_rules_login_events_faillock` rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the `/var/log/faillock` directory.
Description of problem:
From the stig-results.xml found that this benchmark (RHEL-08-030590 | CCE-80718-0 | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected:
<rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000">
<result>notselected</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident>
</rule-result>
and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Is there an ETA on when this benchmark will be included or a status update for this?
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8.noarch
How reproducible:
Always
Steps to Reproduce:
1. Install scap-security-guide-0.1.63-4.el8.noarch
2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Actual results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile
Expected results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile
Additional info:
https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile
~~~
# RHEL-08-030590
# This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
# implemented as it is the one that configures a different path for the events of failing locks
# - audit_rules_login_events_faillock
~~~
Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"):
https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml
~~~
- id: RHEL-08-030590
levels:
- medium
title: Successful/unsuccessful modifications to the faillock log file in RHEL 8
must generate an audit record.
status: pending
~~~
Found the audit_rules_login_events_faillock here:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
~~~
{{% if product in ["ol8","ol9","rhel8", "rhel9"] %}}
{{% set faillock_path = "/var/log/faillock" %}}
{{% else %}}
{{% set faillock_path = "/var/run/faillock" %}}
{{% endif %}}
documentation_complete: true
...
ocil_clause: 'the command does not return a line, or the line is commented out'
ocil: |-
Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
$ sudo auditctl -l | grep /var/run/faillock
-w /var/run/faillock -p wa -k logins
template:
name: audit_rules_login_events
vars:
path: {{{ faillock_path }}}
fixtext: |-
{{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
~~~
This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path. (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:7056
Description of problem: From the stig-results.xml found that this benchmark (RHEL-08-030590 | CCE-80718-0 | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected: <rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000"> <result>notselected</result> <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident> </rule-result> and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Is there an ETA on when this benchmark will be included or a status update for this? Version-Release number of selected component (if applicable): scap-security-guide-0.1.63-4.el8.noarch How reproducible: Always Steps to Reproduce: 1. Install scap-security-guide-0.1.63-4.el8.noarch 2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Actual results: xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile Expected results: xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile Additional info: https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile ~~~ # RHEL-08-030590 # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be # implemented as it is the one that configures a different path for the events of failing locks # - audit_rules_login_events_faillock ~~~ Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"): https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml ~~~ - id: RHEL-08-030590 levels: - medium title: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. status: pending ~~~ Found the audit_rules_login_events_faillock here: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ~~~ {{% if product in ["ol8","ol9","rhel8", "rhel9"] %}} {{% set faillock_path = "/var/log/faillock" %}} {{% else %}} {{% set faillock_path = "/var/run/faillock" %}} {{% endif %}} documentation_complete: true ... ocil_clause: 'the command does not return a line, or the line is commented out' ocil: |- Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep /var/run/faillock -w /var/run/faillock -p wa -k logins template: name: audit_rules_login_events vars: path: {{{ faillock_path }}} fixtext: |- {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}} srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}' ~~~ This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path. (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)