Bug 972523

Summary: The system must forward audit records to the syslog service
Product: Red Hat Enterprise Linux 6 Reporter: Jason Pyeron <jpyeron>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: jason.j.pyeron.ctr, jrieden
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-10 00:57:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 972463    
Bug Blocks:    
Attachments:
Description Flags
RHEL6 STIG patch
none
specfile patch none

Description Jason Pyeron 2013-06-09 20:45:16 UTC 
Created attachment 758941 [details]
RHEL6 STIG patch

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):

http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/audit-2.2-2.el6.src.rpm

How reproducible:

Always

Steps to Reproduce:

perform a yum install

Actual results:

root@test /tmp/setup
# grep active /etc/audisp/plugins.d/syslog.conf

active = no

Expected results:

# grep active /etc/audisp/plugins.d/syslog.conf

If the "active" setting is missing or set to "no", this is a finding.

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html
Comment 1 Jason Pyeron 2013-06-09 20:47:09 UTC 
Created attachment 758942 [details]
specfile patch
Comment 3 Steve Grubb 2013-06-10 00:57:09 UTC 
Thanks for this suggestion. However, its wasteful to double log events to both audit and syslog. Its configurable so that if you want to do that you can. But its not recommended except when you need it. I can't see this as being a good default for everyone.