Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
First issue is that description of the rule is hinting to fix /var/log directory, but the rule explicitly checks for /var/log/audit and /var/log/audit/audit.cfg

Second problem is, that location of the audit log file is defined in the conf file, thus this rule should at least tell admin she is supposed to check it herself.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. change log_file in /etc/audit/auditd.conf to /var/log/audit2.cfg
2. chown root:root /var/log/audit{,/audit.cfg}
3. touch /var/log/audit2.cfg
4. chown test:test /var/log/audit2.cfg
5. run pci-dss scan
6. open report and the rule itself


Actual results:
1. description is about /var/log

2. file tested for ownership is still default one /var/log/audit/audit.cfg, thus rule is passed

Expected results:
1. description is more relevant to the rule itself

2. when log_file parameter is changed, either check new location, or raise "informational" with note that user needs to check it manually

The description of the rule already scopes other files: 

"<description>Checks that all /var/log/audit files and directories are owned by the root user and group.</description>"

Is this BZ outdated or you think this description is not enough? It mentions audit files and directories.

About the second issue, there are a specific list of possible results: pass, fail, error, unknown, notapplicable, notchecked, notselected, informational, fixed.

As the config itself can be sitting in any place, it's hard to scope those scenarios with custom configurations, It's possible to try to find such file and then work on it afterwards, but there would be no guarantee that it's the right file, so it's a tricky problem with no obvious solution IMHO.

I think this would need a Tailoring file or something like that, what do think?

Proposed fix at https://github.com/OpenSCAP/scap-security-guide/pull/1746

The proposed fix above scopes only the second problem. We are not currently supporting customized paths for log files for this rule.

As the customized paths for log files are something we don't generally support. I am accepting the description update as the fix of this bugzilla. It has been fixed in RHEL7.4