Various bugfixes relating to STIG profile rules, 50% renaming XCCDF/OVAL issues.
Last patch is more of an RFC, was unsure why 'rmdir' was no longer being audited
Shawn Wells (5): XCCDF/OVAL mismatch, mountopt_noexec_on_removable_partitions -> mount_option_noexec_removable_partitions [bugfix OVAL] updated mount_option_noexec_removable_partitions to reflect proper XCCDF variable XCCDF/OVAL mismatch, install_openswan --> package_openswan_installed XCCDF/OVAL mismatch, audit_file_deletions --> audit_rules_file_deletion_events [auditd RFC / bugfix] updating DAC to audit for rmdir command
RHEL/6/input/auxiliary/stig_overlay.xml | 6 +++--- RHEL/6/input/auxiliary/transition_notes.xml | 2 +- .../checks/audit_rules_file_deletion_events.xml | 2 +- .../mount_option_noexec_removable_partitions.xml | 6 +++--- RHEL/6/input/profiles/C2S.xml | 4 ++-- RHEL/6/input/profiles/CS2.xml | 6 +++--- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 4 ++-- RHEL/6/input/profiles/common.xml | 4 ++-- RHEL/6/input/profiles/desktop.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 4 ++-- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 4 ++-- .../input/profiles/stig-rhel6-server-upstream.xml | 2 +- RHEL/6/input/profiles/usgcb-rhel6-server.xml | 4 ++-- RHEL/6/input/system/auditing.xml | 4 ++-- RHEL/6/input/system/network/ipsec.xml | 2 +- RHEL/6/input/system/permissions/partitions.xml | 2 +- 16 files changed, 29 insertions(+), 29 deletions(-)
[shawnw@ssg-rhel6-devbox input]$ grep -rin mountopt_noexec_on_removable_partitions * auxiliary/stig_overlay.xml:758: <overlay owner="disastig" ruleid="mountopt_noexec_on_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> profiles/nist-CL-IL-AL.xml:260:<select idref="mountopt_noexec_on_removable_partitions" selected="true" > profiles/CS2.xml:41:<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> profiles/CSCF-RHEL6-MLS.xml:139:<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> profiles/C2S.xml:67:<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> profiles/fisma-medium-rhel6-server.xml:185:<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> profiles/usgcb-rhel6-server.xml:20:<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> profiles/common.xml:210:<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> system/permissions/partitions.xml:54:<Rule id="mountopt_noexec_on_removable_partitions">
[shawnw@ssg-rhel6-devbox input]$ sed -i 's/mountopt_noexec_on_removable_partitions/mount_option_noexec_removable_partitions/g' auxiliary/stig_overlay.xml profiles/* system/permissions/partitions.xml
[shawnw@ssg-rhel6-devbox input]$ grep -rin mountopt_noexec_on_removable_partitions *
[shawnw@ssg-rhel6-devbox input]$ git commit auxiliary/stig_overlay.xml profiles/* system/permissions/partitions.xml
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/profiles/C2S.xml | 2 +- RHEL/6/input/profiles/CS2.xml | 2 +- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 2 +- RHEL/6/input/profiles/common.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL/6/input/system/permissions/partitions.xml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 071b15e..097432d 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -755,7 +755,7 @@ <VMSinfo VKey="38654" SVKey="50455" VRelease="1" /> <title>Remote file systems must be mounted with the "nosuid" option.</title> </overlay> - <overlay owner="disastig" ruleid="mountopt_noexec_on_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> + <overlay owner="disastig" ruleid="mount_option_noexec_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> <VMSinfo VKey="38655" SVKey="50456" VRelease="1" /> <title>The noexec option must be added to removable media partitions.</title> </overlay> diff --git a/RHEL/6/input/profiles/C2S.xml b/RHEL/6/input/profiles/C2S.xml index 0a4afc4..6ceff9c 100644 --- a/RHEL/6/input/profiles/C2S.xml +++ b/RHEL/6/input/profiles/C2S.xml @@ -64,7 +64,7 @@ Patches would be most welcome! <select idref="mountopt_nodev_on_removable_partitions" selected="true" />
<!-- 1.1.12 Add noexec Option to Removable Media Partitions (Not Scored) --> -<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> +<select idref="mount_option_noexec_removable_partitions" selected="true" />
<!-- 1.1.13 Add nosuid Option to Removable Media Partitions (Not Scored) --> <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml index 2bb233e..d0aa80e 100644 --- a/RHEL/6/input/profiles/CS2.xml +++ b/RHEL/6/input/profiles/CS2.xml @@ -38,7 +38,7 @@ <select idref="aide_build_database" selected="true"/>
<select idref="mountopt_nodev_on_removable_partitions" selected="true"/> -<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> +<select idref="mount_option_noexec_removable_partitions" selected="true"/> <select idref="mountopt_nosuid_on_removable_partitions" selected="true"/> <select idref="mount_option_tmp_nodev" selected="true"/> <select idref="mount_option_tmp_noexec" selected="true"/> diff --git a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml index 42f5387..f163c87 100644 --- a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml +++ b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml @@ -136,7 +136,7 @@ for production deployment.</description> <select idref="mount_option_var_tmp_bind_var" selected="true" /> <select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> <!-- we do not have any removable media that has a mount point defined in fstab <select idref="mountopt_nodev_on_removable_partitions" selected="true" /> --> -<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> +<select idref="mount_option_noexec_removable_partitions" selected="true" /> <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> <select idref="accounts_max_concurrent_login_sessions" selected="true" /> <select idref="network_disable_zeroconf" selected="true" /> diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml index fa70480..85a0097 100644 --- a/RHEL/6/input/profiles/common.xml +++ b/RHEL/6/input/profiles/common.xml @@ -207,7 +207,7 @@ these should likely be moved out of common.
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> <select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> -<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> +<select idref="mount_option_noexec_removable_partitions" selected="true"/>
<!-- <select idref="disable_dns_server" selected="true"/> --> <!-- <select idref="uninstall_bind" selected="true"/> --> diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml index 0a4e6bf..fe339a4 100644 --- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml @@ -182,7 +182,7 @@
<!-- AC-19 --> <select idref="mountopt_nodev_on_removable_partitions" selected="true" /> -<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> +<select idref="mount_option_noexec_removable_partitions" selected="true" /> <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> <select idref="kernel_module_usb" selected="true" /> <select idref="bootloader_nousb_argument" selected="true" /> diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml b/RHEL/6/input/profiles/nist-CL-IL-AL.xml index 55d9bc9..007b2e0 100644 --- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml @@ -257,7 +257,7 @@ assurance."</description>
<!-- AC-19(a), AC-19(d), AC-19(e) --> <select idref="mountopt_nodev_on_removable_partitions" selected="true" > -<select idref="mountopt_noexec_on_removable_partitions" selected="true" > +<select idref="mount_option_noexec_removable_partitions" selected="true" > <select idref="mountopt_nosuid_on_removable_partitions" selected="true" > <select idref="kernel_module_usb-storage_disabled" selected="true" > <select idref="bootloader_nousb_argument" selected="true" > diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml index 7ab7f7c..3227b41 100644 --- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml @@ -17,7 +17,7 @@ <select idref="rpm_verify_hashes" selected="true" /> <select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> <select idref="mountopt_nodev_on_removable_partitions" selected="true" /> -<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> +<select idref="mount_option_noexec_removable_partitions" selected="true" /> <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> <select idref="mount_option_tmp_nodev" selected="true" /> <select idref="mount_option_tmp_nosuid" selected="true" /> diff --git a/RHEL/6/input/system/permissions/partitions.xml b/RHEL/6/input/system/permissions/partitions.xml index f74423b..7b38b93 100644 --- a/RHEL/6/input/system/permissions/partitions.xml +++ b/RHEL/6/input/system/permissions/partitions.xml @@ -51,7 +51,7 @@ filesystems. </rationale> <ref nist="AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2"/> </Rule>
-<Rule id="mountopt_noexec_on_removable_partitions"> +<Rule id="mount_option_noexec_removable_partitions"> <title>Add noexec Option to Removable Media Partitions</title> <description>The <tt>noexec</tt> mount option prevents the direct execution of binaries on the mounted filesystem.
XCCDF passing var_removable_partition, OVAL was looking for something different. Updated.
Signed-off-by: Shawn Wells shawn@redhat.com --- .../mount_option_noexec_removable_partitions.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL/6/input/checks/mount_option_noexec_removable_partitions.xml b/RHEL/6/input/checks/mount_option_noexec_removable_partitions.xml index e0ac8c1..57e1ed0 100644 --- a/RHEL/6/input/checks/mount_option_noexec_removable_partitions.xml +++ b/RHEL/6/input/checks/mount_option_noexec_removable_partitions.xml @@ -33,13 +33,13 @@ <ind:instance datatype="int" operation="not equal">0</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_state id="state_text_noexec_removable_partition" version="1"> - <ind:subexpression datatype="string" var_ref="noexec_removable_partition" /> + <ind:subexpression datatype="string" var_ref="var_removable_partition" /> </ind:textfilecontent54_state> <linux:partition_object id="object_removable_partition_noexec" version="1"> - <linux:mount_point var_ref="noexec_removable_partition" /> + <linux:mount_point var_ref="var_removable_partition" /> </linux:partition_object> <linux:partition_state id="state_noexec_removable_partition" version="1"> <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options> </linux:partition_state> - <external_variable comment="removable partition" datatype="string" id="noexec_removable_partition" version="1" /> + <external_variable comment="removable partition" datatype="string" id="var_removable_partition" version="1" /> </def-group>
[shawnw@ssg-rhel6-devbox checks]$ grep -rin install_openswan ../ ../system/network/ipsec.xml:7:<Rule id="install_openswan"> ../auxiliary/stig_overlay.xml:923: <overlay owner="disastig" ruleid="install_openswan" ownerid="RHEL-06-000321" disa="1130" severity="low"> ../profiles/CS2.xml:370:<select idref="install_openswan" selected="true" /> ../profiles/stig-rhel6-server-upstream.xml:61:<select idref="install_openswan" selected="true" /> ../profiles/desktop.xml:10:<select idref="install_openswan" selected="true"/>
[shawnw@ssg-rhel6-devbox checks]$ sed -i 's/install_openswan/package_openswan_installed/g' ../system/network/ipsec.xml ../auxiliary/stig_overlay.xml ../profiles/*
[shawnw@ssg-rhel6-devbox checks]$ grep -rin install_openswan ../
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/profiles/CS2.xml | 2 +- RHEL/6/input/profiles/desktop.xml | 2 +- .../input/profiles/stig-rhel6-server-upstream.xml | 2 +- RHEL/6/input/system/network/ipsec.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 097432d..f45230e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -920,7 +920,7 @@ <VMSinfo VKey="38686" SVKey="50487" VRelease="1" /> <title>The system's local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.</title> </overlay> - <overlay owner="disastig" ruleid="install_openswan" ownerid="RHEL-06-000321" disa="1130" severity="low"> + <overlay owner="disastig" ruleid="package_openswan_installed" ownerid="RHEL-06-000321" disa="1130" severity="low"> <VMSinfo VKey="38687" SVKey="50488" VRelease="1" /> <title>The system must provide VPN connectivity for communications over untrusted networks.</title> </overlay> diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml index d0aa80e..bc65366 100644 --- a/RHEL/6/input/profiles/CS2.xml +++ b/RHEL/6/input/profiles/CS2.xml @@ -367,7 +367,7 @@ <select idref="disable_snmpd" selected="true"/> <select idref="uninstall_net-snmp" selected="true"/>
-<select idref="install_openswan" selected="true" /> +<select idref="package_openswan_installed" selected="true" /> <select idref="no_rsh_trust_files" selected="true"/> <select idref="tftpd_uses_secure_mode" selected="true" />
diff --git a/RHEL/6/input/profiles/desktop.xml b/RHEL/6/input/profiles/desktop.xml index 849ca6b..3f46be5 100644 --- a/RHEL/6/input/profiles/desktop.xml +++ b/RHEL/6/input/profiles/desktop.xml @@ -7,7 +7,7 @@ <select idref="enable_screensaver_after_idle" selected="true"/> <select idref="enable_screensaver_password_lock" selected="true"/> <select idref="set_blank_screensaver" selected="true"/> -<select idref="install_openswan" selected="true"/> +<select idref="package_openswan_installed" selected="true"/> <select idref="disable_vsftpd" selected="true"/> <select idref="uninstall_vsftpd" selected="true"/> <select idref="disable_dns_server" selected="true"/> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index b18679f..0ef3c0a 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -58,7 +58,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
<select idref="set_iptables_default_rule_forward" selected="true"/>
-<select idref="install_openswan" selected="true" /> +<select idref="package_openswan_installed" selected="true" /> <select idref="enable_gdm_login_banner" selected="true" />
<select idref="set_gdm_login_banner_text" selected="true" /> diff --git a/RHEL/6/input/system/network/ipsec.xml b/RHEL/6/input/system/network/ipsec.xml index e4fffc3..0c64e74 100644 --- a/RHEL/6/input/system/network/ipsec.xml +++ b/RHEL/6/input/system/network/ipsec.xml @@ -4,7 +4,7 @@ is provided in RHEL 6 with Openswan. </description>
-<Rule id="install_openswan"> +<Rule id="package_openswan_installed"> <title>Install openswan Package</title> <description>The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over
Updating to reflect naming scheme of other audit XCCDF and OVAL
[shawnw@ssg-rhel6-devbox checks]$ grep -rin audit_file_deletions ../ ../system/auditing.xml:1203:<Rule id="audit_file_deletions"> ../auxiliary/stig_overlay.xml:563: <overlay owner="disastig" ruleid="audit_file_deletions" ownerid="RHEL-06-000200" disa="172" severity="low"> ../auxiliary/transition_notes.xml:54:<note ref="29240" auth="GG" rule="audit_file_deletions">This is covered in RHEL 6 content</note> ../profiles/nist-CL-IL-AL.xml:221:<select idref="audit_file_deletions" selected="true" > ../profiles/CS2.xml:146:<select idref="audit_file_deletions" selected="true"/> ../profiles/CSCF-RHEL6-MLS.xml:23:<select idref="audit_file_deletions" selected="true" /> ../profiles/C2S.xml:455:<select idref="audit_file_deletions" selected="true" /> ../profiles/fisma-medium-rhel6-server.xml:136:<select idref="audit_file_deletions" selected="true" /> ../profiles/usgcb-rhel6-server.xml:193:<select idref="audit_file_deletions" selected="true" /> ../profiles/common.xml:147:<select idref="audit_file_deletions" selected="true"/>
[shawnw@ssg-rhel6-devbox checks]$ sed -i 's/audit_file_deletions/audit_rules_file_deletion_events/g' ../system/auditing.xml ../auxiliary/* ../profiles/*
[shawnw@ssg-rhel6-devbox checks]$ grep -rin audit_file_deletions ../
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/auxiliary/transition_notes.xml | 2 +- RHEL/6/input/profiles/C2S.xml | 2 +- RHEL/6/input/profiles/CS2.xml | 2 +- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 2 +- RHEL/6/input/profiles/common.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index f45230e..460a5bd 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -560,7 +560,7 @@ <VMSinfo VKey="38568" SVKey="50369" VRelease="2" /> <title>The audit system must be configured to audit successful file system mounts.</title> </overlay> - <overlay owner="disastig" ruleid="audit_file_deletions" ownerid="RHEL-06-000200" disa="172" severity="low"> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events" ownerid="RHEL-06-000200" disa="172" severity="low"> <VMSinfo VKey="38575" SVKey="50376" VRelease="2" /> <title>The audit system must be configured to audit user deletions of files and programs.</title> </overlay> diff --git a/RHEL/6/input/auxiliary/transition_notes.xml b/RHEL/6/input/auxiliary/transition_notes.xml index 8e1c9da..77f8a5f 100644 --- a/RHEL/6/input/auxiliary/transition_notes.xml +++ b/RHEL/6/input/auxiliary/transition_notes.xml @@ -51,7 +51,7 @@
<note ref="29241" auth="GG" rule="">This is not covered in RHEL 6 content</note>
-<note ref="29240" auth="GG" rule="audit_file_deletions">This is covered in RHEL 6 content</note> +<note ref="29240" auth="GG" rule="audit_rules_file_deletion_events">This is covered in RHEL 6 content</note>
<note ref="29239" auth="GG" rule="audit_file_access">This is covered in RHEL 6 content</note> <note ref="29238" auth="GG" rule="audit_file_access">This is covered in RHEL 6 content</note> diff --git a/RHEL/6/input/profiles/C2S.xml b/RHEL/6/input/profiles/C2S.xml index 6ceff9c..bed6ee4 100644 --- a/RHEL/6/input/profiles/C2S.xml +++ b/RHEL/6/input/profiles/C2S.xml @@ -452,7 +452,7 @@ Patches would be most welcome! <select idref="audit_media_exports" selected="true" />
<!-- 5.2.14 Collect File Deletion Events by User (Scored) --> -<select idref="audit_file_deletions" selected="true" /> +<select idref="audit_rules_file_deletion_events" selected="true" />
<!-- 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored) --> <select idref="audit_sysadmin_actions" selected="true" /> diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml index bc65366..e8083f6 100644 --- a/RHEL/6/input/profiles/CS2.xml +++ b/RHEL/6/input/profiles/CS2.xml @@ -143,7 +143,7 @@ <select idref="audit_file_access" selected="true"/> <select idref="audit_privileged_commands" selected="true"/> <select idref="audit_media_exports" selected="true"/> -<select idref="audit_file_deletions" selected="true"/> +<select idref="audit_rules_file_deletion_events" selected="true"/>
<select idref="securetty_root_login_console_only" selected="true" /> <select idref="no_direct_root_logins" selected="true" /> diff --git a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml index f163c87..7b306ee 100644 --- a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml +++ b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml @@ -20,7 +20,7 @@ for production deployment.</description> <select idref="audit_account_changes" selected="true" /> <select idref="audit_config_immutable" selected="true" /> <select idref="audit_file_access" selected="true" /> -<select idref="audit_file_deletions" selected="true" /> +<select idref="audit_rules_file_deletion_events" selected="true" /> <select idref="audit_kernel_module_loading" selected="true" /> <select idref="file_permissions_var_log_audit" selected="true" /> <select idref="audit_logs_rootowner" selected="true" /> diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml index 85a0097..6d25b48 100644 --- a/RHEL/6/input/profiles/common.xml +++ b/RHEL/6/input/profiles/common.xml @@ -144,7 +144,7 @@ <select idref="audit_file_access" selected="true"/> <select idref="audit_privileged_commands" selected="true"/> <select idref="audit_media_exports" selected="true"/> -<select idref="audit_file_deletions" selected="true"/> +<select idref="audit_rules_file_deletion_events" selected="true"/> <select idref="audit_sysadmin_actions" selected="true"/> <select idref="audit_kernel_module_loading" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml index fe339a4..05c687c 100644 --- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml @@ -133,7 +133,7 @@ <select idref="audit_file_access" selected="true" /> <select idref="audit_privileged_commands" selected="true" /> <select idref="audit_media_exports" selected="true" /> -<select idref="audit_file_deletions" selected="true" /> +<select idref="audit_rules_file_deletion_events" selected="true" /> <select idref="audit_sysadmin_actions" selected="true" /> <select idref="audit_kernel_module_loading" selected="true" /> <refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="0" /> diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml b/RHEL/6/input/profiles/nist-CL-IL-AL.xml index 007b2e0..2d1135c 100644 --- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml @@ -218,7 +218,7 @@ assurance."</description> <select idref="audit_file_access" selected="true" > <select idref="audit_privileged_commands" selected="true" > <select idref="audit_media_exports" selected="true" > -<select idref="audit_file_deletions" selected="true" > +<select idref="audit_rules_file_deletion_events" selected="true" > <select idref="audit_sysadmin_actions" selected="true" > <select idref="audit_kernel_module_loading" selected="true" > <select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" > diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml index 3227b41..1ab8ce5 100644 --- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml @@ -190,7 +190,7 @@ <select idref="audit_file_access" selected="true" /> <select idref="audit_privileged_commands" selected="true" /> <select idref="audit_media_exports" selected="true" /> -<select idref="audit_file_deletions" selected="true" /> +<select idref="audit_rules_file_deletion_events" selected="true" /> <select idref="audit_sysadmin_actions" selected="true" /> <select idref="audit_kernel_module_loading" selected="true" /> <select idref="audit_config_immutable" selected="true" /> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index 6ab1527..b34e41d 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1200,7 +1200,7 @@ loss.</rationale> <tested by="DS" on="20121024"/> </Rule>
-<Rule id="audit_file_deletions"> +<Rule id="audit_rules_file_deletion_events"> <title>Ensure <tt>auditd</tt> Collects File Deletion Events by User</title> <description>At a minimum the audit system should collect file deletion events for all users and root. Add the following to
For some reason the guidance no longer is auditing for use of rmdir command, though I don't remember why.
Updated XCCDF and OVAL to add rmdir, posting to mailing list as RFC to get comments on if this should be added in.
Signed-off-by: Shawn Wells shawn@redhat.com --- .../checks/audit_rules_file_deletion_events.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/checks/audit_rules_file_deletion_events.xml b/RHEL/6/input/checks/audit_rules_file_deletion_events.xml index d561201..86b3e1b 100644 --- a/RHEL/6/input/checks/audit_rules_file_deletion_events.xml +++ b/RHEL/6/input/checks/audit_rules_file_deletion_events.xml @@ -17,7 +17,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_audit_rules_file_deletion_events" version="1"> ind:filepath/etc/audit/audit.rules</ind:filepath> - <ind:pattern operation="pattern match">^-a\s+always,exit\s+(-F\s+arch=(b64|b32)\s+)?-S\s+unlink\s+-S\s+unlinkat\s+-S\s+rename\s+-S\s+renameat\s+-F\s+auid>=500\s+-F\s+auid!=4294967295\s+-k\s+[-\w]+\s*$</ind:pattern> + <ind:pattern operation="pattern match">^-a\s+always,exit\s+(-F\s+arch=(b64|b32)\s+)?-S\s+rmdir\s+-S\s+unlink\s+-S\s+unlinkat\s+-S\s+rename\s+-S\s+renameat\s+-F\s+auid>=500\s+-F\s+auid!=4294967295\s+-k\s+[-\w]+\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index b34e41d..3ac27e6 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1206,7 +1206,7 @@ loss.</rationale> deletion events for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as appropriate for your system: -<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> +<pre>-a always,exit -F arch=ARCH S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> </description> <ocil> <audit-syscall-check-macro syscall="unlink" />
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Wednesday, May 14, 2014 6:32:03 PM Subject: [PATCH 0/5] RHEL6 bugfixes
Various bugfixes relating to STIG profile rules, 50% renaming XCCDF/OVAL issues.
Last patch is more of an RFC, was unsure why 'rmdir' was no longer being audited
Shawn Wells (5): XCCDF/OVAL mismatch, mountopt_noexec_on_removable_partitions -> mount_option_noexec_removable_partitions
ACK (reasonable the XCCDF rule name to match OVAL check name).
[bugfix OVAL] updated mount_option_noexec_removable_partitions to reflect proper XCCDF variable
ACK (good catch).
XCCDF/OVAL mismatch, install_openswan --> package_openswan_installed
ACK (another one good catch).
XCCDF/OVAL mismatch, audit_file_deletions --> audit_rules_file_deletion_events
ACK (to be consistent with other audit rule names / name scheme)
[auditd RFC / bugfix] updating DAC to audit for rmdir command
ACK (in my opinion makes sense to audit for rmdir calls too when checking file deletion events)
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
RHEL/6/input/auxiliary/stig_overlay.xml | 6 +++--- RHEL/6/input/auxiliary/transition_notes.xml | 2 +- .../checks/audit_rules_file_deletion_events.xml | 2 +- .../mount_option_noexec_removable_partitions.xml | 6 +++--- RHEL/6/input/profiles/C2S.xml | 4 ++-- RHEL/6/input/profiles/CS2.xml | 6 +++--- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 4 ++-- RHEL/6/input/profiles/common.xml | 4 ++-- RHEL/6/input/profiles/desktop.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 4 ++-- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 4 ++-- .../input/profiles/stig-rhel6-server-upstream.xml | 2 +- RHEL/6/input/profiles/usgcb-rhel6-server.xml | 4 ++-- RHEL/6/input/system/auditing.xml | 4 ++-- RHEL/6/input/system/network/ipsec.xml | 2 +- RHEL/6/input/system/permissions/partitions.xml | 2 +- 16 files changed, 29 insertions(+), 29 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/14/14, 1:18 PM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Shawn Wells"shawn@redhat.com To:scap-security-guide@lists.fedorahosted.org Sent: Wednesday, May 14, 2014 6:32:03 PM Subject: [PATCH 0/5] RHEL6 bugfixes
Various bugfixes relating to STIG profile rules, 50% renaming XCCDF/OVAL issues.
Last patch is more of an RFC, was unsure why 'rmdir' was no longer being audited
Shawn Wells (5): XCCDF/OVAL mismatch, mountopt_noexec_on_removable_partitions -> mount_option_noexec_removable_partitions
ACK (reasonable the XCCDF rule name to match OVAL check name).
[bugfix OVAL] updated mount_option_noexec_removable_partitions to reflect proper XCCDF variable
ACK (good catch).
XCCDF/OVAL mismatch, install_openswan --> package_openswan_installed
ACK (another one good catch).
XCCDF/OVAL mismatch, audit_file_deletions --> audit_rules_file_deletion_events
ACK (to be consistent with other audit rule names / name scheme)
[auditd RFC / bugfix] updating DAC to audit for rmdir command
ACK (in my opinion makes sense to audit for rmdir calls too when checking file deletion events)
pushed
$ git push Enter passphrase for key '/home/shawnw/.ssh/id_rsa': Counting objects: 91, done. Delta compression using up to 2 threads. Compressing objects: 100% (66/66), done. Writing objects: 100% (66/66), 9.83 KiB, done. Total 66 (delta 54), reused 1 (delta 0) To ssh://shawndwells@git.fedorahosted.org/git/scap-security-guide.git 5db8e06..947244a master -> master
scap-security-guide@lists.fedorahosted.org