oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_auditd_local_events does not work

[adelton]

Description of problem:

When local_events = yes line is followed by local_events = no, xccdf_org.ssgproject.content_rule_auditd_local_events still reports pass.

SCAP Security Guide Version:

Upstream master, f22dc360663418ff0856664490e7341487f66b8f.

Operating System Version:

RHEL 8.0.

Steps to Reproduce:

1. ./build_product rhel8
2. To /etc/audit/auditd.conf, append lines

   local_events = yes
   local_events = no

3. systemctl restart auditd
4. tail -f /var/log/audit/audit.log &
5. ssh root@localhost date
6. oscap xccdf eval --profile ospp --rule xccdf_org.ssgproject.content_rule_auditd_local_events build/ssg-rhel8-ds.xml

Actual Results:

Title   Include Local Events in Audit Logs
Rule    xccdf_org.ssgproject.content_rule_auditd_local_events
Ident   CCE-82233-8
Result  pass

Expected Results:

Title   Include Local Events in Audit Logs
Rule    xccdf_org.ssgproject.content_rule_auditd_local_events
Ident   CCE-82233-8
Result  fail

Addition Information/Debugging Steps:

There is no output produced by that tail -f because the last local_events = no wins.

The xccdf_org.ssgproject.content_rule_auditd_local_events should not say that local_events is enabled when it only looked at one line but missed the line that overrides the value.

[adelton]

To restart the auditd.service, commenting out RefuseManualStop=yes in /usr/lib/systemd/system/auditd.service + systemctl daemon-reload might be needed.

[yuumasato]

To restart the auditd.service, commenting out RefuseManualStop=yes in /usr/lib/systemd/system/auditd.service + systemctl daemon-reload might be needed.

It is less invasive to set reboot metadata to true.