Bug 2123367
| Summary: | audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-7.9.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.9 | CC: | ggasparb, kpfleming, mhaicman, mlysonek, qe-baseos-security, vpolasek, wsato |
| Target Milestone: | rc | Keywords: | Triaged, ZStream |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.66-1.el7_9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
If an Audit watch rule was defined without an Audit key (-k or -F key), it would be marked as non-compliant even if other parts of the rule were correct. Moreover, Bash remediation would fix the path and permissions of the watch rule, but it would not add the key correctly.
Consequence:
Following rules could be marked as non-compliant eventhough they would be techincally correct (except for the key parameter which is not important for auditing).
* `audit_rules_login_events`
* `audit_rules_login_events_faillock`
* `audit_rules_login_events_lastlog`
* `audit_rules_login_events_tallylog`
* `audit_rules_usergroup_modification`
* `audit_rules_usergroup_modification_group`
* `audit_rules_usergroup_modification_gshadow`
* `audit_rules_usergroup_modification_opasswd`
* `audit_rules_usergroup_modification_passwd`
* `audit_rules_usergroup_modification_shadow`
* `audit_rules_time_watch_localtime`
* `audit_rules_mac_modification`
* `audit_rules_networkconfig_modification`
* `audit_rules_sysadmin_actions`
* `audit_rules_session_events`
* `audit_rules_sudoers`
* `audit_rules_sudoers_d`
Moreover, in some cases remediation would not fix the missing key, resultin gin an "error" instead of "fixed" return value.
Fix:
The key (represented by -k or -F key in the rule definition) is not taken into account anymore neither when checking nor when applying Bash or Ansible remediation. As mentioned above, the key is here mainly for human auditors to ease searching in Audit logs and therefore they should be able to choose it arbitrarily.
Result:
Inconsistencies caused by the key field during checking and remediating are no longer present.
|
Story Points: | --- |
| Clone Of: | 2119356 | Environment: | |
| Last Closed: | 2023-03-07 09:54:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2119356 | ||
| Bug Blocks: | 2120978 | ||
|
Comment 2
Watson Yuuma Sato
2022-10-04 15:42:30 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:1099 |