Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionWelterlen Benoit
2019-01-17 13:14:27 UTC
Description of problem:
In RHEL 7.6, the DISA part of the scap-security-guide has been modified and now audit rules for privileged binaries are broken/doubled with auid!=unset and auid!=4294967295
This prevents augenrules to run and also the profile to be correctly verified.
Version-Release number of selected component (if applicable):
RHEL 7.6 (not in 7.5)
How reproducible:
Always
Steps to Reproduce:
1. install RHEL 7.6 with DISA STIG profile
2.
3.
Actual results:
- augenrules fails to load rules:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user1@localhost ~]$ systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-01-17 11:57:52 CET; 2h 7min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 4538 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
Process: 4522 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 4532 (auditd)
CGroup: /system.slice/auditd.service
├─4532 /sbin/auditd
├─4534 /sbin/audispd
└─4536 /usr/sbin/sedispatch
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: lost 0
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: backlog 0
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: enabled 1
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: failure 2
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- because lot of rules doubled:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- the STIG validation fails on this rule:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result
fail
Time 2019-01-16T23:33:33
Severity medium
Identifiers and References
Identifiers: CCE-80395-7
References: FAU_GEN.1.1.c, RHEL-07-030630, SV-86773r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215
Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Expected results:
- System installed and configured with correct audit rules to answer to DISA STIGS requirement, and audit rules correctly loaded
Additional info:
Comment 2Watson Yuuma Sato
2019-01-21 09:20:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2198
Description of problem: In RHEL 7.6, the DISA part of the scap-security-guide has been modified and now audit rules for privileged binaries are broken/doubled with auid!=unset and auid!=4294967295 This prevents augenrules to run and also the profile to be correctly verified. Version-Release number of selected component (if applicable): RHEL 7.6 (not in 7.5) How reproducible: Always Steps to Reproduce: 1. install RHEL 7.6 with DISA STIG profile 2. 3. Actual results: - augenrules fails to load rules: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [user1@localhost ~]$ systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-01-17 11:57:52 CET; 2h 7min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 4538 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 4522 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 4532 (auditd) CGroup: /system.slice/auditd.service ├─4532 /sbin/auditd ├─4534 /sbin/audispd └─4536 /usr/sbin/sedispatch Jan 17 11:57:52 localhost.localdomain augenrules[4538]: lost 0 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: backlog 0 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: enabled 1 Jan 17 11:57:52 localhost.localdomain augenrules[4538]: failure 2 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- - because lot of rules doubled: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- - the STIG validation fails on this rule: 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd Result fail Time 2019-01-16T23:33:33 Severity medium Identifiers and References Identifiers: CCE-80395-7 References: FAU_GEN.1.1.c, RHEL-07-030630, SV-86773r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 Description At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged Rationale Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: - System installed and configured with correct audit rules to answer to DISA STIGS requirement, and audit rules correctly loaded Additional info: