search

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-030320 - Rule Update #39

Closed mrabe142 closed 4 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72087 Rule ID: SV-86711r3_rule STIG ID: RHEL-07-030320
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Previous Check + Fix Content

Check Text: Verify the action the operating system takes if the disk the audit records are written to becomes full.

To determine the action that takes place if the disk is full on the remote server, use the following command:

# grep -i disk_full_action /etc/audisp/audisp-remote.conf disk_full_action = single

To determine the action that takes place if the network connection fails, use the following command:

# grep -i network_failure_action /etc/audisp/audisp-remote.conf network_failure_action = stop

If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text: Configure the action the operating system takes if the disk the audit records are written to becomes full.

Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:

disk_full_action = single

Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".

New Check + Fix Content

Check Text: Verify the action the operating system takes if the disk the audit records are written to becomes full.

To determine the action that takes place if the disk is full on the remote server, use the following command:

# grep -i disk_full_action /etc/audisp/audisp-remote.conf disk_full_action = single

To determine the action that takes place if the network connection fails, use the following command:

# grep -i network_failure_action /etc/audisp/audisp-remote.conf network_failure_action = stop

If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text: Configure the action the operating system takes if the disk the audit records are written to becomes full.

Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:

disk_full_action = single

Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".

Noted Differences

shawndwells commented 6 years ago

New language also removes the exec option.

@tedbrunell can you check to see if this was intentional?