1404093 – STIG rules not functional

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1404093 - STIG rules not functional

Summary: STIG rules not functional

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	6.8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 03:14 UTC by SHAURYA
Modified:	2020-05-14 15:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:	audit-2.4.5-6.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 09:22:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:0593	0	normal	SHIPPED_LIVE	audit bug fix and enhancement update	2017-03-21 12:25:31 UTC

Description SHAURYA 2016-12-13 03:14:19 UTC

Description of problem:

Freshly built system:
# auditctl -R /usr/share/doc/audit-2.4.5/stig.rules
No rules
enabled 1
failure 2
pid 1518
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
enabled 1
failure 2
pid 1518
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
usage: auditctl [options]
    -a <l,a>            Append rule to end of <l>ist with <a>ction
    -A <l,a>            Add rule at beginning of <l>ist with <a>ction
    -b <backlog>        Set max number of outstanding audit buffers
                        allowed Default=64
    -c                  Continue through errors in rules
    -C f=f              Compare collected fields if available:
                        Field name, operator(=,!=), field name
    -d <l,a>            Delete rule from <l>ist with <a>ction
                        l=task,exit,user,exclude
                        a=never,always
    -D                  Delete all rules and watches
    -e [0..2]           Set enabled flag
    -f [0..2]           Set failure flag
                        0=silent 1=printk 2=panic
    -F f=v              Build rule: field name, operator(=,!=,<,>,<=,
                        >=,&,&=) value
    -h                  Help
    -i                  Ignore errors when reading rules from file
    -k <key>            Set filter key on audit rule
    -l                  List rules
    -m text             Send a user-space message
    -p [r|w|x|a]        Set permissions filter on watch
                        r=read, w=write, x=execute, a=attribute
    -q <mount,subtree>  make subtree part of mount point's dir watches
    -r <rate>           Set limit in messages/sec (0=none)
    -R <file>           read rules from file
    -s                  Report status
    -S syscall          Build rule: syscall name or number
    -t                  Trim directory watches
    -v                  Version
    -w <path>           Insert watch at <path>
    -W <path>           Remove watch at <path>

Straight away in the messages file I see:
Dec  9 17:54:10 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules

Version-Release number of selected component (if applicable):

[root@localhost sosreport-tollops-20161209175432] # cat installed-rpms | grep -i audit
audit-2.4.5-3.el6.x86_64                                    Fri Dec  9 17:41:14 2016
audit-libs-2.4.5-3.el6.x86_64                               Fri Dec  9 17:38:00 2016


How reproducible:

freshly installed system

Actual results:

Error messages in /var/log/messages -
Dec  9 17:48:30 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules
Dec  9 17:48:53 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules
Dec  9 17:49:03 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules
Dec  9 17:52:15 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules
Dec  9 17:53:35 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules
Dec  9 17:54:10 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules



Expected results:

No error messages

Additional info:

Comment 1 Steve Grubb 2016-12-13 03:22:23 UTC

You are right. This is not functional. The --loginuid-immutable is only a RHEL7 feature. So, comment out/delete that line. I'll see about getting a 6.9 fix in place.

Comment 4 Steve Grubb 2016-12-22 17:45:35 UTC

audit-2.4.5-6.el6 was built to address this issue.

Comment 6 Ondrej Moriš 2016-12-23 14:19:23 UTC

Successfully verified. All provided rules files can be loaded correctly on all supported 64-bit architectures. All rules are loaded correctly.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Checking /usr/share/doc/audit-2.4.5/capp.rules
:: [   PASS   ] :: Loading /usr/share/doc/audit-2.4.5/capp.rules (Expected 0, got 0)
:: [   PASS   ] :: Checking number of rules loaded (Assert: '63' should equal '63')
:: [   PASS   ] :: Removing all rules (Expected 0, got 0)

:: [   LOG    ] :: Checking /usr/share/doc/audit-2.4.5/lspp.rules
:: [   INFO   ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination
:: [   PASS   ] :: Loading /usr/share/doc/audit-2.4.5/lspp.rules (Expected 0, got 0)
:: [   PASS   ] :: Checking number of rules loaded (Assert: '81' should equal '81')
:: [   PASS   ] :: Removing all rules (Expected 0, got 0)

:: [   LOG    ] :: Checking /usr/share/doc/audit-2.4.5/nispom.rules
:: [   INFO   ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination
:: [   PASS   ] :: Loading /usr/share/doc/audit-2.4.5/nispom.rules (Expected 0, got 0)
:: [   PASS   ] :: Checking number of rules loaded (Assert: '36' should equal '36')
:: [   LOG    ] :: Rule "-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale" is not loaded - an exception
:: [   PASS   ] :: Removing all rules (Expected 0, got 0)

:: [   LOG    ] :: Checking /usr/share/doc/audit-2.4.5/stig.rules
:: [   INFO   ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination
:: [   PASS   ] :: Loading /usr/share/doc/audit-2.4.5/stig.rules (Expected 0, got 0)
:: [   PASS   ] :: Checking number of rules loaded (Assert: '35' should equal '35')
:: [   LOG    ] :: Rule "-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale" is not loaded - an exception
:: [   LOG    ] :: Rule "-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy" is not loaded - an exception
:: [   PASS   ] :: Removing all rules (Expected 0, got 0)

:: [   LOG    ] :: Duration: 4m 53s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: Test

See TJ#1645624 for more details. Also, please notice that none of the rules files cannot be loaded on i386 but that is expected because rules are intended for 64-bit architectures.

Comment 8 errata-xmlrpc 2017-03-21 09:22:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0593.html

Note You need to log in before you can comment on or make changes to this bug.