Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-141394

[RHEL9.7/SCAP/Bug] The remediation for rule audit_rules_etc_cron_d utilizes the 'actions' filter key; however, the rule description expects the 'cronjobs' key.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Low
    • rhel-security-compliance
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Description of problem:
      ========================

      There appears to be a discrepancy in the audit_rules_etc_cron_d rule. The remediation content uses the 'actions' filter key, which is inconsistent with the description that specifies the 'cronjobs' filter key.

      This mismatch may lead to audit failures or incorrect rule application.

      How reproducible is this bug?:
      ==================
      everytime

      Steps to reproduce :
      ===================

      1] Scan the system with STIG profile and save the results:.

      # oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_stig  --rule xccdf_org.ssgproject.content_rule_audit_rules_etc_cron_d --results results2.xml --report report2.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

      2] Refer the description , Remediation Shell script and Remediation Ansible snippet

       

      # lynx -dump report2.html
  Description
   At a minimum, the audit system should collect administrator actions for
   all users and root. If the auditd daemon is configured to use the
   augenrules program to read audit rules during daemon startup (the
   default), add the following lines to a file with suffix .rules in the
   directory /etc/audit/rules.d:
-w /etc/cron.d/ -p wa -k cronjobs
   If the auditd daemon is configured to use the auditctl utility to read
   audit rules during daemon startup, add the following lines to
   /etc/audit/audit.rules:
-w /etc/cron.d/ -p wa -k cronjobs

   [7]Remediation Shell script ⇲
 
        sed -i "s#\($sp*-w$sp\+/etc/cron.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)
#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/cron.d/ -p wa -k actions" >> "$audit_rules_file"
    fi
done

    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/cron.d/ -p wa -k actions" >> "$audit_rules_file"
    fi
done
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
 
 [8]Remediation Ansible snippet ⇲
- name: Ensure auditd Collects Changes to Cron Jobs - /etc/cron.d/ - Add watch r
ule
    for /etc/cron.d/ in /etc/audit/audit.rules
  ansible.builtin.lineinfile:
    line: -w /etc/cron.d/ -p wa -k actions
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0600'
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel-core" in ansible_facts.packages'
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_a
udit_rules.matched
    == 0
  tags:
  - CCE-86613-7
  - DISA-STIG-RHEL-09-654096
  - audit_rules_etc_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

       

       

      Expected results:
      =================

      Please correct the remediation or description to use correct or one filter key for this audit rule to avoid confusion.

              jcerny@redhat.com Jan Cerny
              rhn-support-vbhope Vaibhav Bhope
              Vojtech Polasek Vojtech Polasek
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: