CIS 5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enable does not account for extra characters on line

[ssarkar9]

Describe the Issue GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 pti=on page_poison=1 vsyscall=none" is a sample line.

Expected Behavior Audit for the process prior to start of auditd should pass.

Actual Behavior This is actually showing up as failed.

Control(s) Affected What controls are being affected by the issue CIS 5.2.1.2

Environment (please complete the following information):

• branch being used: [e.g. devel] devel
• Ansible Version: [e.g. 2.10] ansible [core 2.15.5]
• Host Python Version: [e.g. Python 3.7.6] 3.9.16
• Ansible Server Python Version: [e.g. Python 3.7.6] 3.9.16
• Additional Details:

Additional Notes Anything additional goes here

Possible Solution Use GRUB_CMDLINE_LINUX instead of GRUB_CMDLINE_LINUX_Default

[ashfaqsharif]

@ssarkar9 : my checks are looking good as per CIS standard after hardening the instance using this repo. Can you please elaborate when you say your checks are failing? What settings are you referring to:

grubby --info=ALL | grep -Po '\baudit=1\b'

audit=1

grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b"

audit_backlog_limit=8192

systemctl is-enabled auditd

enabled

I assume AL2023 uses GRUB_CMDLINE_LINUX_DEFAULT and not GRUB_CMDLINE_LINUX. So I am not sure what we should modify in this repo.

[uk-bolly]

hi @ssarkar9 and @ashfaqsharif

Just following up on this thread, could we have a little more clarity on what you are seeing, what you are expecting and what is failing so that we may follow this up.

Many thanks

uk-bolly

[ssarkar9]

Please close. This is actually fine. I ran a STIG and then Ansible lockdown. I switched the order where lock down was run first and then STIG. STIG was causing issue. This can be closed