Blame SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch

fe0dde
From 25dcc59ebea297789ee89cfe0263ec8575455da7 Mon Sep 17 00:00:00 2001
fe0dde
From: Gabriel Becker <ggasparb@redhat.com>
fe0dde
Date: Thu, 26 Nov 2020 15:45:10 +0100
fe0dde
Subject: [PATCH 1/2] Update RHEL7 STIG profile with /var/log/audit related
fe0dde
 rules.
fe0dde
fe0dde
Add file_permissions_var_log_audit and file_ownership_var_log_audit to
fe0dde
RHEL7 STIG profile.
fe0dde
---
fe0dde
 .../file_ownership_var_log_audit/rule.yml                       | 1 +
fe0dde
 .../file_permissions_var_log_audit/oval/shared.xml              | 2 +-
fe0dde
 .../file_permissions_var_log_audit/rule.yml                     | 1 +
fe0dde
 rhel7/profiles/stig.profile                                     | 2 ++
fe0dde
 4 files changed, 5 insertions(+), 1 deletion(-)
fe0dde
fe0dde
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
fe0dde
index 248ff3598..8a8c71520 100644
fe0dde
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
fe0dde
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
fe0dde
@@ -21,6 +21,7 @@ identifiers:
fe0dde
 
fe0dde
 references:
fe0dde
     stigid@ol7: OL07-00-910055
fe0dde
+    stigid@rhel7: RHEL-07-910055
fe0dde
     stigid@rhel6: RHEL-06-000384
fe0dde
     srg@rhel6: SRG-OS-000057
fe0dde
     disa@rhel6: CCI-000166
fe0dde
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
fe0dde
index 5941ea660f..1bb7dd453c 100644
fe0dde
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
fe0dde
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
fe0dde
@@ -34,7 +34,7 @@
fe0dde
   </unix:file_object>
fe0dde
 
fe0dde
   <unix:file_state id="state_not_mode_0600" version="1" operator="OR">
fe0dde
-    
fe0dde
+    
fe0dde
     <unix:suid datatype="boolean">true</unix:suid>
fe0dde
     <unix:sgid datatype="boolean">true</unix:sgid>
fe0dde
     <unix:sticky datatype="boolean">true</unix:sticky>
fe0dde
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
fe0dde
index 6c265d68b..d6b36b647 100644
fe0dde
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
fe0dde
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
fe0dde
@@ -24,6 +24,7 @@ identifiers:
fe0dde
 
fe0dde
 references:
fe0dde
     stigid@ol7: OL07-00-910055
fe0dde
+    stigid@rhel7: RHEL-07-910055
fe0dde
     disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
fe0dde
     srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
fe0dde
     stigid@rhel6: RHEL-06-000383
fe0dde
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
fe0dde
index 4698785a49..1d94e79964 100644
fe0dde
--- a/rhel7/profiles/stig.profile
fe0dde
+++ b/rhel7/profiles/stig.profile
fe0dde
@@ -313,3 +313,5 @@ selections:
fe0dde
     - mount_option_dev_shm_nosuid
fe0dde
     - audit_rules_privileged_commands_mount
fe0dde
     - package_MFEhiplsm_installed
fe0dde
+    - file_ownership_var_log_audit
fe0dde
+    - file_permissions_var_log_audit
fe0dde
fe0dde
From e83eaf0ff5a3e3a4cb7a3caac0410c4ad4813312 Mon Sep 17 00:00:00 2001
fe0dde
From: Gabriel Becker <ggasparb@redhat.com>
fe0dde
Date: Thu, 26 Nov 2020 15:57:29 +0100
fe0dde
Subject: [PATCH 2/2] Remove unrelated fix content from
fe0dde
 file_permissions_var_log_audit bash.
fe0dde
fe0dde
---
fe0dde
 .../file_permissions_var_log_audit/bash/shared.sh            | 5 -----
fe0dde
 1 file changed, 5 deletions(-)
fe0dde
fe0dde
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
fe0dde
index 3175a18a23..d6c45867e5 100644
fe0dde
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
fe0dde
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
fe0dde
@@ -9,12 +9,7 @@ if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
fe0dde
     chmod 0600 /var/log/audit/audit.log
fe0dde
     chmod 0400 /var/log/audit/audit.log.*
fe0dde
   fi
fe0dde
-
fe0dde
-  chmod 0640 /etc/audit/audit*
fe0dde
-  chmod 0640 /etc/audit/rules.d/*
fe0dde
 else
fe0dde
   chmod 0600 /var/log/audit/audit.log
fe0dde
   chmod 0400 /var/log/audit/audit.log.*
fe0dde
-  chmod 0640 /etc/audit/audit*
fe0dde
-  chmod 0640 /etc/audit/rules.d/*
fe0dde
 fi