Closed mrabe142 closed 4 years ago
As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:
Rule Metadata
Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72175 Rule ID: SV-86799r4_rule STIG ID: RHEL-07-030760 Severity: CAT II Check Reference: M Classification: Unclass
New Rule Title
Rule Title: The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.
Previous Check + Fix Content
Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # grep -i /usr/sbin/postdrop /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix If the command does not return any output, this is a finding. Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix The audit daemon must be restarted for the changes to take effect.
Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
# grep -i /usr/sbin/postdrop /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
If the command does not return any output, this is a finding.
Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
New Check + Fix Content
Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # grep -iw /usr/sbin/postdrop /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix If the command does not return any output, this is a finding. Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix The audit daemon must be restarted for the changes to take effect.
Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
Noted Differences
-F perm=x is missing. Meaning you will only be auditing if someone reads the file.
-F perm=x
As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:
Rule Metadata
New Rule Title
Previous Check + Fix Content
New Check + Fix Content
Noted Differences