Bug 972523 - The system must forward audit records to the syslog service
The system must forward audit records to the syslog service
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit (Show other bugs)
6.6
All All
unspecified Severity high
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
:
Depends On: 972463
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-09 16:45 EDT by Jason Pyeron
Modified: 2013-06-10 17:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-09 20:57:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RHEL6 STIG patch (411 bytes, patch)
2013-06-09 16:45 EDT, Jason Pyeron
no flags Details | Diff
specfile patch (1.26 KB, patch)
2013-06-09 16:47 EDT, Jason Pyeron
no flags Details | Diff

  None (edit)
Description Jason Pyeron 2013-06-09 16:45:16 EDT
Created attachment 758941 [details]
RHEL6 STIG patch

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):

http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/audit-2.2-2.el6.src.rpm

How reproducible:

Always

Steps to Reproduce:

perform a yum install

Actual results:

root@test /tmp/setup
# grep active /etc/audisp/plugins.d/syslog.conf

active = no

Expected results:

# grep active /etc/audisp/plugins.d/syslog.conf

If the "active" setting is missing or set to "no", this is a finding.

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html
Comment 1 Jason Pyeron 2013-06-09 16:47:09 EDT
Created attachment 758942 [details]
specfile patch
Comment 3 Steve Grubb 2013-06-09 20:57:09 EDT
Thanks for this suggestion. However, its wasteful to double log events to both audit and syslog. Its configurable so that if you want to do that you can. But its not recommended except when you need it. I can't see this as being a good default for everyone.

Note You need to log in before you can comment on or make changes to this bug.