From 25dcc59ebea297789ee89cfe0263ec8575455da7 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 26 Nov 2020 15:45:10 +0100 Subject: [PATCH 1/2] Update RHEL7 STIG profile with /var/log/audit related rules. Add file_permissions_var_log_audit and file_ownership_var_log_audit to RHEL7 STIG profile. --- .../file_ownership_var_log_audit/rule.yml | 1 + .../file_permissions_var_log_audit/oval/shared.xml | 2 +- .../file_permissions_var_log_audit/rule.yml | 1 + rhel7/profiles/stig.profile | 2 ++ 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml index 248ff3598..8a8c71520 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml @@ -21,6 +21,7 @@ identifiers: references: stigid@ol7: OL07-00-910055 + stigid@rhel7: RHEL-07-910055 stigid@rhel6: RHEL-06-000384 srg@rhel6: SRG-OS-000057 disa@rhel6: CCI-000166 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml index 5941ea660f..1bb7dd453c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml @@ -34,7 +34,7 @@ - + true true true diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml index 6c265d68b..d6b36b647 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml @@ -24,6 +24,7 @@ identifiers: references: stigid@ol7: OL07-00-910055 + stigid@rhel7: RHEL-07-910055 disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 stigid@rhel6: RHEL-06-000383 diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index 4698785a49..1d94e79964 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -313,3 +313,5 @@ selections: - mount_option_dev_shm_nosuid - audit_rules_privileged_commands_mount - package_MFEhiplsm_installed + - file_ownership_var_log_audit + - file_permissions_var_log_audit From e83eaf0ff5a3e3a4cb7a3caac0410c4ad4813312 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 26 Nov 2020 15:57:29 +0100 Subject: [PATCH 2/2] Remove unrelated fix content from file_permissions_var_log_audit bash. --- .../file_permissions_var_log_audit/bash/shared.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh index 3175a18a23..d6c45867e5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh @@ -9,12 +9,7 @@ if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* fi - - chmod 0640 /etc/audit/audit* - chmod 0640 /etc/audit/rules.d/* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* - chmod 0640 /etc/audit/audit* - chmod 0640 /etc/audit/rules.d/* fi