-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-8.10, rhel-10.1, rhel-9.7
-
None
-
None
-
Important
-
rhel-security-compliance
-
2
-
False
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
CIS selects the following rules on RHEL8 among others:
Title System Audit Logs Must Have Mode 0750 or Less Permissive Rule xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit Ident CCE-84048-8 Title System Audit Logs Must Have Mode 0640 or Less Permissive Rule xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit Ident CCE-80819-6
When configuring log_group in /etc/audit/auditd.conf, the scan fails:
# grep ^log_group /etc/audit/auditd.conf log_group = adm # service auditd restart # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_rhcase04344834 --tailoring-file ssg-rhel8-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml --- Starting Evaluation --- Title System Audit Logs Must Have Mode 0750 or Less Permissive Rule xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit Ident CCE-84048-8 Result fail Title System Audit Logs Must Be Group Owned By Root Rule xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit Ident CCE-88227-4 Result pass Title System Audit Logs Must Be Owned By Root Rule xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig Ident CCE-88228-2 Result pass Title System Audit Logs Must Have Mode 0640 or Less Permissive Rule xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit Ident CCE-80819-6 Result fail
The implementation of the rules do not seem to comply to CIS guide nor rule title, which states that directory can have 0750 permissions, respectively 0640 permissions, but it appears that the rules enforce having 0700 respectively 0600 permissions, because the code that evaluates log_group doesn't apply to RHEL for some unknown reason, see ./linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml block 6-20 which doesn't evaluate because of line 5 condition:
5 {{% if 'ol' not in families and 'rhel' not in product and 'fedora' not in product %}}
6 <criteria operator="AND" comment="log_file set">
7 <extend_definition comment="log_file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" />
8 <criteria operator="AND" comment="log_group in auditd.conf is not root">
9 <extend_definition comment="log_group in auditd.conf is not root"
10 definition_ref="auditd_conf_log_group_not_root" />
11 <criterion test_ref="test_dir_permissions_audit_log-non_root" negate="true" />
12 </criteria>
13 <criterion test_ref="test_dir_permissions_audit_log" negate="true" />
14 </criteria>
15 <criterion test_ref="test_dir_permissions_var_log_audit" negate="true" />
16 <criteria operator="AND" comment="log_group in auditd.conf is not root">
17 <extend_definition comment="log_group in auditd.conf is not root"
18 definition_ref="auditd_conf_log_group_not_root" />
19 <criterion test_ref="test_dir_permissions_var_log_audit-non_root" negate="true" />
20 </criteria>
21 {{% else %}}
Same issue for linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml:
5 {{% if 'ol' not in families and "rhel" not in product and "rhcos4" not in product %}}
6 <criteria operator="AND" comment="log_file set">
7 <extend_definition comment="log_file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" />
8 <criteria operator="AND" comment="log_group in auditd.conf is not root">
9 <extend_definition comment="log_group in auditd.conf is not root"
10 definition_ref="auditd_conf_log_group_not_root" />
11 <criterion test_ref="test_file_permissions_audit_log-non_root" negate="true" />
12 </criteria>
13 <criterion test_ref="test_file_permissions_audit_log" negate="true" />
14 </criteria>
15 <criteria operator="AND" comment="log_group in auditd.conf is not root">
16 <extend_definition comment="log_group in auditd.conf is not root"
17 definition_ref="auditd_conf_log_group_not_root" />
18 <criterion test_ref="test_file_permissions_var_log_audit-non_root" negate="true" />
19 </criteria>
20 <criterion test_ref="test_file_permissions_var_log_audit" negate="true" />
21 {{% else %}}
What is the impact of this issue to you?
Can't satisfy to CIS requirements
Please provide the package NVR for which the bug is seen:
scap-security-guide-0.1.79-1.el8.noarch
How reproducible is this bug?
Always
Steps to reproduce
- Set log_group = adm in /etc/audit/auditd.conf and restart auditd service
# sed -i "s/^log_group = .*/log_group = adm/" /etc/audit/auditd.conf # service auditd restart # ls -ld /var/log/audit /var/log/audit/audit.log drwxr-x---. 2 root adm 23 Dec 19 10:01 /var/log/audit -rw-r-----. 1 root adm 5881119 Jan 6 09:18 /var/log/audit/audit.log
- Execute the rules
# oscap xccdf eval --profile cis --rule xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml # oscap xccdf eval --profile cis --rule xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Expected results
PASS
Actual results
Both fail
