1667108 – DISA profile doubles audit rules (with auid unset and 4294967295) and prevents augenrules to run

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1667108 - DISA profile doubles audit rules (with auid unset and 4294967295) and prevents augenrules to run

Summary: DISA profile doubles audit rules (with auid unset and 4294967295) and prevent...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.6
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	Jan Černý
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-17 13:14 UTC by Welterlen Benoit
Modified:	2019-08-06 13:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:	scap-security-guide-0.1.43-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:04:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2198	0	None	None	None	2019-08-06 13:04:32 UTC

Description Welterlen Benoit 2019-01-17 13:14:27 UTC

Description of problem:
In RHEL 7.6, the DISA part of the scap-security-guide has been modified and now audit rules for privileged binaries are broken/doubled with auid!=unset and auid!=4294967295
This prevents augenrules to run and also the profile to be correctly verified.

Version-Release number of selected component (if applicable):
RHEL 7.6 (not in 7.5)

How reproducible:
Always

Steps to Reproduce:
1. install RHEL 7.6 with DISA STIG profile
2.
3.

Actual results:
- augenrules fails to load rules:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user1@localhost ~]$ systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-01-17 11:57:52 CET; 2h 7min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 4538 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
  Process: 4522 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 4532 (auditd)
   CGroup: /system.slice/auditd.service
           ├─4532 /sbin/auditd
           ├─4534 /sbin/audispd
           └─4536 /usr/sbin/sedispatch

Jan 17 11:57:52 localhost.localdomain augenrules[4538]: lost 0
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: backlog 0
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: enabled 1
Jan 17 11:57:52 localhost.localdomain augenrules[4538]: failure 2
8< ---------------- 8< ---------------- 8< ---------------- 8< --------

- because lot of rules doubled:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
8< ---------------- 8< ---------------- 8< ---------------- 8< --------

- the STIG validation fails on this rule:
8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result	
fail
Time	2019-01-16T23:33:33
Severity	medium
Identifiers and References	

Identifiers:  CCE-80395-7

References:  FAU_GEN.1.1.c, RHEL-07-030630, SV-86773r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215
Description	

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale	

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:
- System installed and configured with correct audit rules to answer to DISA STIGS requirement, and audit rules correctly loaded

Additional info:

Comment 2 Watson Yuuma Sato 2019-01-21 09:20:25 UTC

The following patch should fix problems with addition of duplicated rules: https://github.com/ComplianceAsCode/content/pull/3692

Comment 3 Jan Černý 2019-03-07 08:37:30 UTC

Granting devel ack because it's fixed by rebase to 0.1.43.

Comment 8 errata-xmlrpc 2019-08-06 13:04:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198

Note You need to log in before you can comment on or make changes to this bug.