This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2168689 - [RFE] Provide pci-dss required audit rules in the audit packages just like ospp audit rules [NEEDINFO]
Summary: [RFE] Provide pci-dss required audit rules in the audit packages just like os...
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: audit
Version: 8.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sergio Correia
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-09 18:29 UTC by cweather
Modified: 2023-08-08 11:12 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-08 11:12:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:
vpolasek: needinfo? (scorreia)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-988 0 None None None 2023-08-08 11:12:50 UTC
Red Hat Issue Tracker RHELPLAN-148215 0 None None None 2023-02-09 18:30:13 UTC
Red Hat Issue Tracker SECENGSP-5201 0 None None None 2023-05-22 10:39:51 UTC

Description cweather 2023-02-09 18:29:09 UTC 
Description of problem:

I have copied the the 30-pci-dss-v31.rules in the /etc/audit/rules.d/ and rebuild the audit rules.

The SCAP report for pci-dss fails on missing many audit rules.
For example the 2 rules below:
- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir

For the OSPP the provided rules in /usr/share/audit/sample-rules where enough to Pass all the Audit check of the OSPP SCAP run.
I expected the same for PCI-DSS SCAP report, just copy the 30-pci-dss-v31.rules to the /etc/audit/rules.d/ and all Audit rules tests are getting Passed.

Version-Release number of selected component (if applicable):


How reproducible: 

Always

Steps to Reproduce:

- Copy usr/share/audit/sample-rules/30-pci-dss-v31.rules and the surround boiler plate 10-base-config and 99-finalize to /etc/audit/rules.d

- Run augenrules

- Run scap for pcidss
/usr/bin/oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss -

-results-arf /var/tmp/compliance-report-pci-dss.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
usr/bin/oscap xccdf generate report /var/tmp/compliance-report-pci-dss.xml

Results:
- Many failing SCAP tests on Audit

Expectation
- Audit tests in SCAP report are Passed

Additional info:
More info in case.
Comment 8 Steve Grubb 2023-05-22 16:53:20 UTC 
The way the audit rules are intended to be used is to switch out the 30-xx rule to be compliant with the given security standard. Note that PCI-DSS changes every couple of years. I don't think the audit PCI rules have been looked at in 5 or 6 years.
Comment 9 Steve Grubb 2023-05-22 18:18:20 UTC 
I just looked at PCI-DSS v4. The language is different in some spots which in turn changes some of what the audit system should be gathering. I think a new 30-pci-dss-v4.rules should be created which would be intended to meet v4. I think v31 should be left alone since it is still correct to the 3.1->3.2.1 era of audit requirements.
Comment 10 Attila Lakatos 2023-05-26 08:41:37 UTC 
Summary:
When creating OSPP security profile (common criteria) e.g. for RHEL 8, currently there are two working ways on how to configure audit in accordance with this profile:
 1. Use the SCAP content provided by scap-security-guide, which creates files in the rules.d directory with predefined content
 2. Use the files from /usr/share/audit/sample-rules

The reason why this approach is not feasible in the first place is that any change introduced to one of the mentioned components needs to be propagated to the other one. Otherwise, we are not in sync. But there are other reasons as well described in https://docs.google.com/document/d/13IGJHLT3gPPfbPro5KGGXfCyLCvHyh9JUGpMbXPbf94/edit?usp=sharing

This request(bz) is mostly to provide users only one single source of truth for Audit rules for all SCAP profiles. With this in mind, we would like to mention this in the documentation:
 * /usr/share/audit/example-rules files
 * RHEL system administator guide and maybe some more

What do you think?
Note You need to log in before you can comment on or make changes to this bug.