search

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-030920 - Rule Update #42

Closed mrabe142 closed 4 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-72207 Rule ID: SV-86831r4_rule STIG ID: RHEL-07-030920
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.

Previous Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" command occur.

Check the file system rules in "/etc/audit/audit.rules" with the following commands:

Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.

# grep -iw unlinkat/etc/audit/audit.rules

-a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

If there are no audit rules defined for the "unlinkat" command, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" command occur.

Add the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

New Check + Fix Content

Check Text: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.

Check the file system rules in "/etc/audit/audit.rules" with the following commands:

Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.

# grep -iw unlinkat /etc/audit/audit.rules

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

If there are no audit rules defined for the "unlinkat" syscall, this is a finding.

Fix Text: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.

Add the following rules in "/etc/audit/rules.d/audit.rules":

Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

Noted Differences

redhatrises commented 5 years ago

DISA is missing -F exit=-EPERM and -F exit=-EACCES