Bug 2168061
Summary: | audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-8.6.0.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
Status: | CLOSED ERRATA | QA Contact: | Jiri Jaburek <jjaburek> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.7 | CC: | ggasparb, jafiala, jjaburek, lmanasko, mhaicman, mjahoda, mlysonek, vpolasek, wsato |
Target Milestone: | rc | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.66-1.el8_6 | Doc Type: | Bug Fix |
Doc Text: |
Cause:
If an Audit watch rule was defined without an Audit key (-k or -F key), it would be marked as non-compliant even if other parts of the rule were correct. Moreover, Bash remediation would fix the path and permissions of the watch rule, but it would not add the key correctly.
Consequence:
Following rules could be marked as non-compliant eventhough they would be techincally correct (except for the key parameter which is not important for auditing).
* `audit_rules_login_events`
* `audit_rules_login_events_faillock`
* `audit_rules_login_events_lastlog`
* `audit_rules_login_events_tallylog`
* `audit_rules_usergroup_modification`
* `audit_rules_usergroup_modification_group`
* `audit_rules_usergroup_modification_gshadow`
* `audit_rules_usergroup_modification_opasswd`
* `audit_rules_usergroup_modification_passwd`
* `audit_rules_usergroup_modification_shadow`
* `audit_rules_time_watch_localtime`
* `audit_rules_mac_modification`
* `audit_rules_networkconfig_modification`
* `audit_rules_sysadmin_actions`
* `audit_rules_session_events`
* `audit_rules_sudoers`
* `audit_rules_sudoers_d`
Moreover, in some cases remediation would not fix the missing key, resultin gin an "error" instead of "fixed" return value.
Fix:
The key (represented by -k or -F key in the rule definition) is not taken into account anymore neither when checking nor when applying Bash or Ansible remediation. As mentioned above, the key is here mainly for human auditors to ease searching in Audit logs and therefore they should be able to choose it arbitrarily.
Result:
Inconsistencies caused by the key field during checking and remediating are no longer present.
|
Story Points: | --- |
Clone Of: | 2119356 | Environment: | |
Last Closed: | 2023-03-07 13:55:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2119356 | ||
Bug Blocks: |
Comment 12
errata-xmlrpc
2023-03-07 13:55:14 UTC
|