Description of problem: The rule audit_access_success causes huge amounts of audit events to be generated. It should be turned to unenforcing by default in the OSPP SCAP profile. Version-Release number of selected component (if applicable): scap-security-guide-0.1.60-4.el9 How reproducible: Deterministic. Steps to Reproduce: 1. Check /etc/audit/rules.d/30-ospp-v42-3-access-success.rules does not exist: # ls -la /etc/audit/rules.d 2. Remediate system using OSPP profile: # oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 3. Check if the file got created: # ls -la /etc/audit/rules.d/30-ospp-v42-3-access-success.rules Actual results: -rw-r-----. 1 root root 399 Feb 24 07:11 /etc/audit/rules.d/30-ospp-v42-3-access-success.rules Expected results: ls: cannot access '/etc/audit/rules.d/30-ospp-v42-3-access-success.rules': No such file or directory Additional info: Running just eval for the rule with oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_audit_access_success /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml should report the result as informational. The practial change should likely be adding .role=unscored and .severity=info to ospp.profile for audit_access_success.
there is an open PR in https://github.com/ComplianceAsCode/content/pull/9082
https://github.com/ComplianceAsCode/content/pull/9082 has been merged to upstream
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8131