-
Bug
-
Resolution: Done
-
Undefined
-
None
-
rhel-8.9.0, rhel-9.3.0
-
None
-
Normal
-
sst_security_compliance
-
ssg_security
-
1
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
CIS profile enforces that aide configuration contains the following:
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
See 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools in official documentation CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0.pdf
and
{{5.3.3 Ensure cryptographic mechanisms are used to protect the
integrity of audit tools}} in official documentation CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v3.0.0.pdf.
It appears that the implementation we have enforces /usr/sbin/ instead of /sbin/, e.g. oval check:
38 <ind:pattern operation="pattern match">^\/usr\/sbin\/auditctl\s+([^\n]+)$</ind:pattern>
and bash remediation:
9 {{% set auditfiles = [ 10 "/usr/sbin/auditctl", 11 "/usr/sbin/auditd", 12 "/usr/sbin/ausearch", 13 "/usr/sbin/aureport", 14 "/usr/sbin/autrace", 15 "/usr/sbin/augenrules" ] %}}
I think we need to stick to the official documentation.
Please provide the package NVR for which bug is seen:
scap-security-guide on RHEL8, RHEL9 and Upstream project
How reproducible:
N/A