1371313 – rule file_ownership_var_log_audit has wrong description

Bug 1371313 - rule file_ownership_var_log_audit has wrong description

Summary: rule file_ownership_var_log_audit has wrong description

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-29 21:49 UTC by Marek Haicman
Modified:	2017-12-12 16:13 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-12 16:13:30 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marek Haicman 2016-08-29 21:49:06 UTC

Description of problem:
First issue is that description of the rule is hinting to fix /var/log directory, but the rule explicitly checks for /var/log/audit and /var/log/audit/audit.cfg

Second problem is, that location of the audit log file is defined in the conf file, thus this rule should at least tell admin she is supposed to check it herself.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. change log_file in /etc/audit/auditd.conf to /var/log/audit2.cfg
2. chown root:root /var/log/audit{,/audit.cfg}
3. touch /var/log/audit2.cfg
4. chown test:test /var/log/audit2.cfg
5. run pci-dss scan
6. open report and the rule itself


Actual results:
1. description is about /var/log

2. file tested for ownership is still default one /var/log/audit/audit.cfg, thus rule is passed

Expected results:
1. description is more relevant to the rule itself

2. when log_file parameter is changed, either check new location, or raise "informational" with note that user needs to check it manually

Comment 1 Raphael Sanchez Prudencio 2017-03-07 10:45:26 UTC

The description of the rule already scopes other files: 

"<description>Checks that all /var/log/audit files and directories are owned by the root user and group.</description>"

Is this BZ outdated or you think this description is not enough? It mentions audit files and directories.

Comment 2 Raphael Sanchez Prudencio 2017-03-07 12:48:09 UTC

About the second issue, there are a specific list of possible results: pass, fail, error, unknown, notapplicable, notchecked, notselected, informational, fixed.

As the config itself can be sitting in any place, it's hard to scope those scenarios with custom configurations, It's possible to try to find such file and then work on it afterwards, but there would be no guarantee that it's the right file, so it's a tricky problem with no obvious solution IMHO.

I think this would need a Tailoring file or something like that, what do think?

Comment 3 Raphael Sanchez Prudencio 2017-03-08 09:56:50 UTC

Proposed fix at https://github.com/OpenSCAP/scap-security-guide/pull/1746

Comment 4 Raphael Sanchez Prudencio 2017-03-10 15:09:04 UTC

The proposed fix above scopes only the second problem. We are not currently supporting customized paths for log files for this rule.

Comment 5 Marek Haicman 2017-12-12 16:13:30 UTC

As the customized paths for log files are something we don't generally support. I am accepting the description update as the fix of this bugzilla. It has been fixed in RHEL7.4

Note You need to log in before you can comment on or make changes to this bug.