ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-030760 - Rule Update #27

Closed mrabe142 closed 4 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72175 Rule ID: SV-86799r4_rule STIG ID: RHEL-07-030760
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.

Previous Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.

Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -i /usr/sbin/postdrop /etc/audit/audit.rules

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

If the command does not return any output, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.

Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

The audit daemon must be restarted for the changes to take effect.

New Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.

Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules

-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

If the command does not return any output, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.

Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

The audit daemon must be restarted for the changes to take effect.

Noted Differences

redhatrises commented 5 years ago

-F perm=x is missing. Meaning you will only be auditing if someone reads the file.