From 4c0470b91583d75c0a364612b9511aa04d67a2c0 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 11 Sep 2020 12:56:27 +0200 Subject: [PATCH 1/2] use xccdf variable in the rule.yml --- .../auditd_audispd_network_failure_action/rule.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index 9703bba724..01b16a4dd2 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -14,6 +14,7 @@ description: |- halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. + This profile configures the action to be {{{ sub_var_value("var_audispd_network_failure_action") }}}. rationale: |- Taking appropriate action when there is an error sending audit records to a @@ -35,11 +36,7 @@ ocil_clause: 'the system is not configured to switch to single user mode for cor ocil: |- Inspect /etc/audisp/audisp-remote.conf and locate the following line to - determine if the system is configured to either send to syslog, switch to single user mode, - or halt when there is a network failure with audispd: + determine if the system is configured to perform a correct action according to the policy: 
grep -i network_failure_action /etc/audisp/audisp-remote.conf
- The output should return something similar to: - 
network_failure_action = single
- Acceptable values also include syslog and - halt. - + The output should return: + 
network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}
From 2d7c59fe90d8dad86c6e6743f137a5d1ba580257 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 22 Sep 2020 08:45:57 +0200 Subject: [PATCH 2/2] change jinja macro used --- .../auditd_audispd_network_failure_action/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index 01b16a4dd2..9e677d225c 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -14,7 +14,7 @@ description: |- halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. - This profile configures the action to be {{{ sub_var_value("var_audispd_network_failure_action") }}}. + This profile configures the action to be {{{ xccdf_value("var_audispd_network_failure_action") }}}. rationale: |- Taking appropriate action when there is an error sending audit records to a @@ -39,4 +39,4 @@ ocil: |- determine if the system is configured to perform a correct action according to the policy: 
grep -i network_failure_action /etc/audisp/audisp-remote.conf
The output should return: - 
network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}
+ 
network_failure_action = {{{ xccdf_value("var_audispd_network_failure_action") }}}