search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

RHEL7: audit_rules_login_events_faillock #2607

Closed dirtyharrycallahan closed 6 years ago

dirtyharrycallahan commented 6 years ago

Description of problem:

Test doesn't match the text.

SCAP Security Guide Version:

tip

Operating System Version:

RHEL

Steps to Reproduce:

  1. add audit rule indicated in narrative -> -w /var/run/faillock/ -p wa -k logins
  2. run eval and control is marked failed b/c the narrative includes a trailing "/" ^-w\s+\/var\/run\/faillock\s+-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$

Actual Results:

audit_rules_login_events_faillock : fail

Expected Results:

audit_rules_login_events_faillock : pass

Addition Information/Debugging Steps:

dominiquearpin commented 6 years ago

I got the same problem with RHEL 7.5Beta. Anyone with a patch?

shawndwells commented 6 years ago

There is no audit_rules_login_events_faillock in shared/ or rhel7/checks/oval.

hallllpppp I'm going mental.

edit: here is what's in the dir tree:

$ grep -rin audit_rules_login_events_faillock
.git/logs/refs/heads/newospp:61:72b41aaa2948b4cfedd12a495cdce979b209fe99 5f183cee65722507cde29facdbaf3a846e34388e Shawn Wells <shawn@redhat.com> 1517591134 -0500   commit: adding ospp labels to audit_rules_login_events_faillock
.git/logs/HEAD:161:72b41aaa2948b4cfedd12a495cdce979b209fe99 5f183cee65722507cde29facdbaf3a846e34388e Shawn Wells <shawn@redhat.com> 1517591134 -0500    commit: adding ospp labels to audit_rules_login_events_faillock
shared/xccdf/system/auditing.xml:1900:<Rule id="audit_rules_login_events_faillock" severity="medium" prodtype="rhel7">
shared/xccdf/system/auditing.xml:1923:<oval id="audit_rules_login_events_faillock" />
shared/checks/oval/audit_rules_login_events.xml:13:      <extend_definition comment="audit faillock" definition_ref="audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:12:      <criterion comment="faillock" test_ref="test_audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:24:  <ind:textfilecontent54_test check="all" comment="faillock" id="test_audit_rules_login_events_faillock" version="1">
rhel6/checks/oval/audit_rules_login_events.xml:25:    <ind:object object_ref="object_audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:27:  <ind:textfilecontent54_object id="object_audit_rules_login_events_faillock" version="1">
rhel7/overlays/stig_overlay.xml:553:  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030610" ruleid="audit_rules_login_events_faillock" severity="medium">
rhel7/profiles/ospp-rhel7.xml:201:<select idref="audit_rules_login_events_faillock" selected="true" />
rhel7/profiles/stig-rhel7-disa.xml:472:<select idref="audit_rules_login_events_faillock" selected="true" />
redhatrises commented 6 years ago

@shawndwells did you check shared/templates/csv/audit_rules_login_events.csv?

shawndwells commented 6 years ago

On 2/22/18 11:11 AM, redhatrises wrote:

@shawndwells https://github.com/shawndwells did you check |shared/templates/csv/audit_rules_login_events.csv|?

Nope. But isn't that for audit_rules_login_events, not audit_rules_login_events_faillock?

redhatrises commented 6 years ago

@shawndwells it is for all audit_rules_login_events including faillock.

dirtyharrycallahan commented 6 years ago

I work only with Red Hat 7 server and the DISA Red Hat 7 STIG profile and while running my scans I noticed that there is a general inconsistency between the checks, the text, and the remedies (both bash and Ansible). Other examples are the Gnome settings in the dconf ini file. Some tests will accept spaces around the key=value and some will not. I will have to get my head around how all this content comes together and review the current STIG before I can submit some pull requests.