Bug 2168063

Summary: Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) [rhel-8.7.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: ggasparb, mhaicman, mlysonek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8_7 Doc Type: Bug Fix
Doc Text:
Cause: The SCAP rule audit_immutable_login_uids used in RHEL 8 profiles stig and stig_gui is very strict and it passes only in case that the specific file contains exact text. This is, however, not strictly needed to fulfill the STIG requirement (RHEL-08-030122) Consequence: User is forced to use the file /etc/audit/rules.d/11-loginuid.rules with specific file content to make this rule passing. Note that the file content contains comments which should not be forced upon user. Fix: The new rule audit_rules_immutable_login_uids has been created and it replaced the rule audit_immutable_login_uids in RHEL8 stig and stig_gui profiles. Result: User can now specify the "--loginuid-immutable" parameter which fulfills the rule in arbitrary file with .rules extension within /etc/audit/rules.d directory or in file /etc/audit/audit.rules; depending on usage of auditctl or augen-rules.
 Story Points: ---
Clone Of: 2151553 Environment:
Last Closed: 2023-02-21 07:15:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151553    
Bug Blocks:    

Comment 14 errata-xmlrpc 2023-02-21 07:15:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0829