242 lines
11 KiB
Diff
242 lines
11 KiB
Diff
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
|
||
|
new file mode 100644
|
||
|
index 0000000000..4f88ed361d
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
|
||
|
@@ -0,0 +1,8 @@
|
||
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
||
|
+
|
||
|
+{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
|
||
|
+ parameter="overflow_action",
|
||
|
+ value="syslog",
|
||
|
+ separator="=",
|
||
|
+ separator_regex="=",
|
||
|
+ prefix_regex="^\s*") }}}
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..539b9b6582
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
|
||
|
@@ -0,0 +1,12 @@
|
||
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
||
|
+# reboot = true
|
||
|
+# strategy = restrict
|
||
|
+# complexity = low
|
||
|
+# disruption = low
|
||
|
+
|
||
|
+{{{set_config_file(path="/etc/audit/auditd.conf",
|
||
|
+ parameter="overflow_action",
|
||
|
+ value="syslog",
|
||
|
+ separator="=",
|
||
|
+ separator_regex="=",
|
||
|
+ prefix_regex="^\s*")}}}
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
|
||
|
new file mode 100644
|
||
|
index 0000000000..fd45280e4e
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
|
||
|
@@ -0,0 +1,6 @@
|
||
|
+{{{ oval_check_config_file(
|
||
|
+ path="/etc/audit/auditd.conf",
|
||
|
+ prefix_regex="^(?:.*\\n)*\s*",
|
||
|
+ parameter="overflow_action",
|
||
|
+ value="syslog|single|halt",
|
||
|
+ separator_regex="\s*=\s*") }}}
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
||
|
new file mode 100644
|
||
|
index 0000000000..d41ca00076
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
||
|
@@ -0,0 +1,36 @@
|
||
|
+documentation_complete: true
|
||
|
+
|
||
|
+title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
|
||
|
+
|
||
|
+description: |-
|
||
|
+ The audit system should have an action setup in the event the internal event queue becomes full.
|
||
|
+ To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>
|
||
|
+ to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.
|
||
|
+
|
||
|
+
|
||
|
+rationale: |-
|
||
|
+ The audit system should have an action setup in the event the internal event queue becomes full
|
||
|
+ so that no data is lost.
|
||
|
+
|
||
|
+severity: medium
|
||
|
+
|
||
|
+identifiers:
|
||
|
+ cce@rhel8: CCE-85889-4
|
||
|
+
|
||
|
+references:
|
||
|
+ disa: CCI-001851
|
||
|
+ nist: AU-4(1)
|
||
|
+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
||
|
+ stigid@rhel8: RHEL-08-030700
|
||
|
+
|
||
|
+ocil_clause: 'auditd overflow action is not setup correctly'
|
||
|
+
|
||
|
+ocil: |-
|
||
|
+ Verify the audit system is configured to take an appropriate action when the internal event queue is full:
|
||
|
+ <pre>$ sudo grep -i overflow_action /etc/audit/auditd.conf</pre>
|
||
|
+
|
||
|
+ The output should contain be like <tt>overflow_action = syslog</tt>
|
||
|
+
|
||
|
+ If the value of the "overflow_action" option is not set to <tt>syslog</tt>,
|
||
|
+ <tt>single</tt>, <tt>halt</tt> or the line is commented out, ask the System Administrator
|
||
|
+ to indicate how the audit logs are off-loaded to a different system or media.
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..ec7525b195
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+echo "# overflow_action = syslog" >> /etc/audit/auditd.conf
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..e4d173ab37
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
|
||
|
@@ -0,0 +1,7 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+if [[ -f $config_file ]]; then
|
||
|
+ echo '' > $config_file
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..f26cd7cddf
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
|
||
|
@@ -0,0 +1,7 @@
|
||
|
+#!/bin/bash
|
||
|
+
|
||
|
+config_file=/etc/audit/auditd.conf
|
||
|
+
|
||
|
+if [[ -f $config_file ]]; then
|
||
|
+ rm -f $config_file
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..0ec591b25b
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+echo "overflow_action = halt" >> /etc/audit/auditd.conf
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..236ad543fe
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+echo "overflow_action = ignore" >> /etc/audit/auditd.conf
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..74efdcafee
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+config_file=/etc/audit/auditd.conf
|
||
|
+sed -i "s/^.*overflow_action.*$//" $config_file
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..de11126320
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
|
||
|
@@ -0,0 +1,9 @@
|
||
|
+#!/bin/bash
|
||
|
+# Use this script to ensure the audit directory structure and audit conf file
|
||
|
+# exist in the test env.
|
||
|
+config_file=/etc/audit/auditd.conf
|
||
|
+
|
||
|
+# Ensure directory structure exists (useful for container based testing)
|
||
|
+test -d /etc/audit/ || mkdir -p /etc/audit/
|
||
|
+
|
||
|
+test -f $config_file || touch $config_file
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..f9fa7a935c
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+echo "overflow_action = single" >> /etc/audit/auditd.conf
|
||
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
|
||
|
new file mode 100644
|
||
|
index 0000000000..1c625fb752
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
|
||
|
@@ -0,0 +1,5 @@
|
||
|
+#!/bin/bash
|
||
|
+# Ensure test system has proper directories/files for test scenario
|
||
|
+bash -x setup.sh
|
||
|
+
|
||
|
+echo "overflow_action = syslog" >> /etc/audit/auditd.conf
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index 6372d13cfc..5cac78e00d 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -826,6 +826,7 @@ selections:
|
||
|
- rsyslog_remote_loghost
|
||
|
|
||
|
# RHEL-08-030700
|
||
|
+ - auditd_overflow_action
|
||
|
|
||
|
# RHEL-08-030710
|
||
|
|
||
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||
|
index 24e8149168..b3d9596e1f 100644
|
||
|
--- a/shared/references/cce-redhat-avail.txt
|
||
|
+++ b/shared/references/cce-redhat-avail.txt
|
||
|
@@ -27,7 +27,6 @@ CCE-85885-2
|
||
|
CCE-85886-0
|
||
|
CCE-85887-8
|
||
|
CCE-85888-6
|
||
|
-CCE-85889-4
|
||
|
CCE-85890-2
|
||
|
CCE-85891-0
|
||
|
CCE-85892-8
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
index 32f1a24a7a..c9d23ed1dc 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
@@ -73,6 +73,7 @@ selections:
|
||
|
- auditd_local_events
|
||
|
- auditd_log_format
|
||
|
- auditd_name_format
|
||
|
+- auditd_overflow_action
|
||
|
- banner_etc_issue
|
||
|
- bios_enable_execution_restrictions
|
||
|
- chronyd_client_only
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
index d6a27c67dc..7303145141 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
@@ -84,6 +84,7 @@ selections:
|
||
|
- auditd_local_events
|
||
|
- auditd_log_format
|
||
|
- auditd_name_format
|
||
|
+- auditd_overflow_action
|
||
|
- banner_etc_issue
|
||
|
- bios_enable_execution_restrictions
|
||
|
- chronyd_client_only
|