From 4c0470b91583d75c0a364612b9511aa04d67a2c0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 11 Sep 2020 12:56:27 +0200
Subject: [PATCH 1/2] use xccdf variable in the rule.yml
---
.../auditd_audispd_network_failure_action/rule.yml | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
index 9703bba724..01b16a4dd2 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
@@ -14,6 +14,7 @@ description: |-
<tt>halt</tt>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
+ This profile configures the <i>action</i> to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.
rationale: |-
Taking appropriate action when there is an error sending audit records to a
@@ -35,11 +36,7 @@ ocil_clause: 'the system is not configured to switch to single user mode for cor
ocil: |-
Inspect <tt>/etc/audisp/audisp-remote.conf</tt> and locate the following line to
- determine if the system is configured to either send to syslog, switch to single user mode,
- or halt when there is a network failure with audispd:
+ determine if the system is configured to perform a correct action according to the policy:
<pre>grep -i network_failure_action /etc/audisp/audisp-remote.conf</pre>
- The output should return something similar to:
- <pre>network_failure_action = single</pre>
- Acceptable values also include <tt>syslog</tt> and
- <tt>halt</tt>.
-
+ The output should return:
+ <pre>network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}</pre>
From 2d7c59fe90d8dad86c6e6743f137a5d1ba580257 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 22 Sep 2020 08:45:57 +0200
Subject: [PATCH 2/2] change jinja macro used
---
.../auditd_audispd_network_failure_action/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
index 01b16a4dd2..9e677d225c 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
@@ -14,7 +14,7 @@ description: |-
<tt>halt</tt>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
- This profile configures the <i>action</i> to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.
+ This profile configures the <i>action</i> to be <tt>{{{ xccdf_value("var_audispd_network_failure_action") }}}</tt>.
rationale: |-
Taking appropriate action when there is an error sending audit records to a
@@ -39,4 +39,4 @@ ocil: |-
determine if the system is configured to perform a correct action according to the policy:
<pre>grep -i network_failure_action /etc/audisp/audisp-remote.conf</pre>
The output should return:
- <pre>network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}</pre>
+ <pre>network_failure_action = {{{ xccdf_value("var_audispd_network_failure_action") }}}</pre>