Bug 2168689

Summary: [RFE] Provide pci-dss required audit rules in the audit packages just like ospp audit rules
Product: Red Hat Enterprise Linux 8 Reporter: cweather
Component: auditAssignee: Sergio Correia <scorreia>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: alakatos, ekolesni, ggasparb, mhaicman, mlysonek, mmarhefk, nbubakov, scorreia, sgrubb, wsato
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---Flags: vpolasek: needinfo? (scorreia)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-08 11:12:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description cweather 2023-02-09 18:29:09 UTC 
Description of problem:

I have copied the the 30-pci-dss-v31.rules in the /etc/audit/rules.d/ and rebuild the audit rules.

The SCAP report for pci-dss fails on missing many audit rules.
For example the 2 rules below:
- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir

For the OSPP the provided rules in /usr/share/audit/sample-rules where enough to Pass all the Audit check of the OSPP SCAP run.
I expected the same for PCI-DSS SCAP report, just copy the 30-pci-dss-v31.rules to the /etc/audit/rules.d/ and all Audit rules tests are getting Passed.

Version-Release number of selected component (if applicable):


How reproducible: 

Always

Steps to Reproduce:

- Copy usr/share/audit/sample-rules/30-pci-dss-v31.rules and the surround boiler plate 10-base-config and 99-finalize to /etc/audit/rules.d

- Run augenrules

- Run scap for pcidss
/usr/bin/oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss -

-results-arf /var/tmp/compliance-report-pci-dss.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
usr/bin/oscap xccdf generate report /var/tmp/compliance-report-pci-dss.xml

Results:
- Many failing SCAP tests on Audit

Expectation
- Audit tests in SCAP report are Passed

Additional info:
More info in case.
Comment 8 Steve Grubb 2023-05-22 16:53:20 UTC 
The way the audit rules are intended to be used is to switch out the 30-xx rule to be compliant with the given security standard. Note that PCI-DSS changes every couple of years. I don't think the audit PCI rules have been looked at in 5 or 6 years.
Comment 9 Steve Grubb 2023-05-22 18:18:20 UTC 
I just looked at PCI-DSS v4. The language is different in some spots which in turn changes some of what the audit system should be gathering. I think a new 30-pci-dss-v4.rules should be created which would be intended to meet v4. I think v31 should be left alone since it is still correct to the 3.1->3.2.1 era of audit requirements.
Comment 10 Attila Lakatos 2023-05-26 08:41:37 UTC 
Summary:
When creating OSPP security profile (common criteria) e.g. for RHEL 8, currently there are two working ways on how to configure audit in accordance with this profile:
 1. Use the SCAP content provided by scap-security-guide, which creates files in the rules.d directory with predefined content
 2. Use the files from /usr/share/audit/sample-rules

The reason why this approach is not feasible in the first place is that any change introduced to one of the mentioned components needs to be propagated to the other one. Otherwise, we are not in sync. But there are other reasons as well described in https://docs.google.com/document/d/13IGJHLT3gPPfbPro5KGGXfCyLCvHyh9JUGpMbXPbf94/edit?usp=sharing

This request(bz) is mostly to provide users only one single source of truth for Audit rules for all SCAP profiles. With this in mind, we would like to mention this in the documentation:
 * /usr/share/audit/example-rules files
 * RHEL system administator guide and maybe some more

What do you think?