rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bdc918e7cd677dc6f7ccdabbf4dcbcd143eefe74
  2.   SOURCES
  3.   scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch
Blob History Raw
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
362bfa 
new file mode 100644
362bfa 
index 0000000000..4f88ed361d
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
362bfa 
@@ -0,0 +1,8 @@
362bfa 
+# platform = multi_platform_fedora,multi_platform_rhel
362bfa 
+
362bfa 
+{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
362bfa 
+                  parameter="overflow_action",
362bfa 
+                  value="syslog",
362bfa 
+                  separator="=",
362bfa 
+                  separator_regex="=",
362bfa 
+                  prefix_regex="^\s*") }}}
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..539b9b6582
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
362bfa 
@@ -0,0 +1,12 @@
362bfa 
+# platform = multi_platform_fedora,multi_platform_rhel
362bfa 
+# reboot = true
362bfa 
+# strategy = restrict
362bfa 
+# complexity = low
362bfa 
+# disruption = low
362bfa 
+
362bfa 
+{{{set_config_file(path="/etc/audit/auditd.conf",
362bfa 
+                  parameter="overflow_action",
362bfa 
+                  value="syslog",
362bfa 
+                  separator="=",
362bfa 
+                  separator_regex="=",
362bfa 
+                  prefix_regex="^\s*")}}}
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
362bfa 
new file mode 100644
362bfa 
index 0000000000..fd45280e4e
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
362bfa 
@@ -0,0 +1,6 @@
362bfa 
+{{{ oval_check_config_file(
362bfa 
+    path="/etc/audit/auditd.conf",
362bfa 
+    prefix_regex="^(?:.*\\n)*\s*",
362bfa 
+    parameter="overflow_action",
362bfa 
+    value="syslog|single|halt",
362bfa 
+    separator_regex="\s*=\s*") }}}
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
362bfa 
new file mode 100644
362bfa 
index 0000000000..d41ca00076
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
362bfa 
@@ -0,0 +1,36 @@
362bfa 
+documentation_complete: true
362bfa 
+
362bfa 
+title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
362bfa 
+
362bfa 
+description: |-
362bfa 
+    The audit system should have an action setup in the event the internal event queue becomes full.
362bfa 
+    To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>
362bfa 
+    to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.
362bfa 
+
362bfa 
+
362bfa 
+rationale: |-
362bfa 
+    The audit system should have an action setup in the event the internal event queue becomes full
362bfa 
+    so that no data is lost.
362bfa 
+
362bfa 
+severity: medium
362bfa 
+
362bfa 
+identifiers:
362bfa 
+    cce@rhel8: CCE-85889-4
362bfa 
+
362bfa 
+references:
362bfa 
+    disa: CCI-001851
362bfa 
+    nist: AU-4(1)
362bfa 
+    srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
362bfa 
+    stigid@rhel8: RHEL-08-030700
362bfa 
+
362bfa 
+ocil_clause: 'auditd overflow action is not setup correctly'
362bfa 
+
362bfa 
+ocil: |-
362bfa 
+    Verify the audit system is configured to take an appropriate action when the internal event queue is full:
362bfa 
+    
$ sudo grep -i overflow_action /etc/audit/auditd.conf
362bfa 
+
362bfa 
+    The output should contain be like <tt>overflow_action = syslog</tt>
362bfa 
+
362bfa 
+    If the value of the "overflow_action" option is not set to <tt>syslog</tt>,
362bfa 
+    <tt>single</tt>, <tt>halt</tt> or the line is commented out, ask the System Administrator
362bfa 
+    to indicate how the audit logs are off-loaded to a different system or media.
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..ec7525b195
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+echo "# overflow_action = syslog" >> /etc/audit/auditd.conf
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..e4d173ab37
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
362bfa 
@@ -0,0 +1,7 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+if [[ -f $config_file ]]; then
362bfa 
+    echo '' > $config_file
362bfa 
+fi
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..f26cd7cddf
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
362bfa 
@@ -0,0 +1,7 @@
362bfa 
+#!/bin/bash
362bfa 
+
362bfa 
+config_file=/etc/audit/auditd.conf
362bfa 
+
362bfa 
+if [[ -f $config_file ]]; then
362bfa 
+    rm -f $config_file
362bfa 
+fi
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..0ec591b25b
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+echo "overflow_action = halt" >> /etc/audit/auditd.conf
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..236ad543fe
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+echo "overflow_action = ignore" >> /etc/audit/auditd.conf
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..74efdcafee
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+config_file=/etc/audit/auditd.conf
362bfa 
+sed -i "s/^.*overflow_action.*$//" $config_file
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..de11126320
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
362bfa 
@@ -0,0 +1,9 @@
362bfa 
+#!/bin/bash
362bfa 
+# Use this script to ensure the audit directory structure and audit conf file
362bfa 
+# exist in the test env.
362bfa 
+config_file=/etc/audit/auditd.conf
362bfa 
+
362bfa 
+# Ensure directory structure exists (useful for container based testing)
362bfa 
+test -d /etc/audit/ || mkdir -p /etc/audit/
362bfa 
+
362bfa 
+test -f $config_file || touch $config_file
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..f9fa7a935c
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+echo "overflow_action = single" >> /etc/audit/auditd.conf
362bfa 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
362bfa 
new file mode 100644
362bfa 
index 0000000000..1c625fb752
362bfa 
--- /dev/null
362bfa 
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
362bfa 
@@ -0,0 +1,5 @@
362bfa 
+#!/bin/bash
362bfa 
+# Ensure test system has proper directories/files for test scenario
362bfa 
+bash -x setup.sh
362bfa 
+
362bfa 
+echo "overflow_action = syslog" >> /etc/audit/auditd.conf
362bfa 
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
362bfa 
index 6372d13cfc..5cac78e00d 100644
362bfa 
--- a/products/rhel8/profiles/stig.profile
362bfa 
+++ b/products/rhel8/profiles/stig.profile
362bfa 
@@ -826,6 +826,7 @@ selections:
362bfa 
     - rsyslog_remote_loghost
362bfa
362bfa 
     # RHEL-08-030700
362bfa 
+    - auditd_overflow_action
362bfa
362bfa 
     # RHEL-08-030710
362bfa
362bfa 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
362bfa 
index 24e8149168..b3d9596e1f 100644
362bfa 
--- a/shared/references/cce-redhat-avail.txt
362bfa 
+++ b/shared/references/cce-redhat-avail.txt
362bfa 
@@ -27,7 +27,6 @@ CCE-85885-2
362bfa 
 CCE-85886-0
362bfa 
 CCE-85887-8
362bfa 
 CCE-85888-6
362bfa 
-CCE-85889-4
362bfa 
 CCE-85890-2
362bfa 
 CCE-85891-0
362bfa 
 CCE-85892-8
362bfa 
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
362bfa 
index 32f1a24a7a..c9d23ed1dc 100644
362bfa 
--- a/tests/data/profile_stability/rhel8/stig.profile
362bfa 
+++ b/tests/data/profile_stability/rhel8/stig.profile
362bfa 
@@ -73,6 +73,7 @@ selections:
362bfa 
 - auditd_local_events
362bfa 
 - auditd_log_format
362bfa 
 - auditd_name_format
362bfa 
+- auditd_overflow_action
362bfa 
 - banner_etc_issue
362bfa 
 - bios_enable_execution_restrictions
362bfa 
 - chronyd_client_only
362bfa 
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa 
index d6a27c67dc..7303145141 100644
362bfa 
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa 
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa 
@@ -84,6 +84,7 @@ selections:
362bfa 
 - auditd_local_events
362bfa 
 - auditd_log_format
362bfa 
 - auditd_name_format
362bfa 
+- auditd_overflow_action
362bfa 
 - banner_etc_issue
362bfa 
 - bios_enable_execution_restrictions
362bfa 
 - chronyd_client_only

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation