search

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-030890 - Rule Update #40

Closed mrabe142 closed 4 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72201 Rule ID: SV-86825r4_rule STIG ID: RHEL-07-030890
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.

Previous Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" command occur.

Check the file system rules in "/etc/audit/audit.rules" with the following commands:

Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.

# grep -iw renameat /etc/audit/audit.rules

-a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

If there are no audit rules defined for the "renameat" command, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" command occur.

Add the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

New Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.

Check the file system rules in "/etc/audit/audit.rules" with the following commands:

Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.

# grep -iw renameat /etc/audit/audit.rules

-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

If there are no audit rules defined for the "renameat" syscall, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.

Add the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

Noted Differences

redhatrises commented 5 years ago

missing -F exit=-EACCES and -F exit=-EPERM