From d0f70c7a7383dd41277599cb776e03534aa2137c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 30 Oct 2019 18:11:09 +0100 Subject: [PATCH 1/2] Remove audit_rules_for_ospp from RHEL 7 OSPP The audit rule `-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail is present in /usr/share/doc/audit-2.8.5/rules/30-ospp-v42.rules (checked on audit-2.8.5-4.el7.x86_64). That means this audir rule is already checked and remediated by rule `audit_rules_for_ospp`. --- rhel7/profiles/ospp.profile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile index e20c58875d..81762ad782 100644 --- a/rhel7/profiles/ospp.profile +++ b/rhel7/profiles/ospp.profile @@ -285,13 +285,11 @@ selections: ## AU-2(a) / FAU_GEN.1.1.c ## Audit Kernel Module Loading and Unloading Events (Success/Failure) ## AU-2(a) / FAU_GEN.1.1.c - - audit_rules_for_ospp - ## Audit All Audit and Log Data Accesses (Success/Failure) ## CNSSI 1253 Value or DoD-specific Values: ## - Audit and log data access (Success/Failure) ## AU-2(a) / FAU_GEN.1.1.c - - directory_access_var_log_audit + - audit_rules_for_ospp ### SELinux Configuration From 0b822d21cdee7c7da136337a45e9c7136b7d576e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 31 Oct 2019 15:23:01 +0100 Subject: [PATCH 2/2] Make comments the same --- rhel7/profiles/ospp.profile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile index 81762ad782..a3168d51a7 100644 --- a/rhel7/profiles/ospp.profile +++ b/rhel7/profiles/ospp.profile @@ -278,6 +278,10 @@ selections: ## CNSSI 1253 Value or DoD-specific Values: ## - Privilege/Role escalation (Success/Failure) ## AU-2(a) / FAU_GEN.1.1.c + ## Audit All Audit and Log Data Accesses (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Audit and log data access (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c ## Audit Cryptographic Verification of Software (Success/Failure) ## CNSSI 1253 Value or DoD-specific Values: ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, @@ -285,10 +289,6 @@ selections: ## AU-2(a) / FAU_GEN.1.1.c ## Audit Kernel Module Loading and Unloading Events (Success/Failure) ## AU-2(a) / FAU_GEN.1.1.c - ## Audit All Audit and Log Data Accesses (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Audit and log data access (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c - audit_rules_for_ospp