2167999 – content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2167999 - content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile

Summary: content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Černý
QA Contact:	Milan Lysonek
Docs Contact:	Petr Hybl
URL:
Whiteboard:
Depends On:
Blocks:	2228455 2228456
TreeView+	depends on / blocked

Reported:	2023-02-08 01:41 UTC by ckrell
Modified:	2023-11-14 17:08 UTC (History)
CC List:	10 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Enhancement
Doc Text:	.The DISA STIG profile now supports `audit_rules_login_events_faillock` With this enhancement, the SCAP Security Guide `audit_rules_login_events_faillock` rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the `/var/log/faillock` directory.
Clone Of:
Clones:	2228455 2228456 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:36:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-147880	0	None	None	None	2023-02-08 01:43:19 UTC
Red Hat Product Errata	RHBA-2023:7056	0	None	None	None	2023-11-14 15:37:31 UTC

Description ckrell 2023-02-08 01:41:48 UTC

Description of problem:

From the stig-results.xml found that this benchmark (RHEL-08-030590 |  CCE-80718-0  | V-230466 | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock) wasn't selected:

    <rule-result idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" role="full" time="2022-12-19T11:20:10-08:00" severity="medium" weight="1.000000">
      <result>notselected</result>
      <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80718-0</ident>
    </rule-result>

and isn't selected as a part of the DISA STIG profile in the datastream file - /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 

Is there an ETA on when this benchmark will be included or a status update for this?

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install scap-security-guide-0.1.63-4.el8.noarch
2. Review benchmarks for "DISA STIG for Red Hat Enterprise Linux 8" profile in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 

Actual results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock isn't selected in the profile

Expected results:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock is selected within the DISA STIG profile

Additional info:

https://github.com/ComplianceAsCode/content/blob/d906795a38fd069e8aa4e1fe8851f19a5038f98f/products/rhel8/profiles/stig.profile
~~~
    # RHEL-08-030590
    # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
    # implemented as it is the one that configures a different path for the events of failing locks
    # - audit_rules_login_events_faillock
~~~

Status shows as pending here (also checked the referenced RHEL-08-020017 looks like this is in place "automated"):
https://github.com/ComplianceAsCode/content/blob/74ca327dc3ea0b7c813263d13e230cd62ac70b5a/controls/stig_rhel8.yml
~~~
    -   id: RHEL-08-030590
        levels:
            - medium
        title: Successful/unsuccessful modifications to the faillock log file in RHEL 8
            must generate an audit record.
        status: pending
~~~
Found the audit_rules_login_events_faillock here:

https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
~~~
{{% if product in ["ol8","ol9","rhel8", "rhel9"] %}}
{{% set faillock_path = "/var/log/faillock" %}}
{{% else %}}
{{% set faillock_path = "/var/run/faillock" %}}
{{% endif %}}
documentation_complete: true
...
ocil_clause: 'the command does not return a line, or the line is commented out'

ocil: |-
    Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
    $ sudo auditctl -l | grep /var/run/faillock
    -w /var/run/faillock -p wa -k logins
template:
    name: audit_rules_login_events
    vars:
        path: {{{ faillock_path }}}

fixtext: |-
    {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
~~~

This still has /var/run instead of /var/log in the ocil section, but the other sections look like they've been updated to use a dynamic faillock path.  (I'm not really sure if the ocil section is necessary or if it should statically reference /var/run)

Comment 2 Jan Černý 2023-07-10 14:43:35 UTC

A fix has been submitted to review in https://github.com/ComplianceAsCode/content/pull/10816.

Comment 3 Marcus Burghardt 2023-07-11 08:30:48 UTC

PR is merged in Upstream:
https://github.com/ComplianceAsCode/content/pull/10816

Comment 18 errata-xmlrpc 2023-11-14 15:36:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056

Note You need to log in before you can comment on or make changes to this bug.