make audit_access_success unenforcing for rhel9 ospp

Resolves: rhbz#2058154
2022-07-18 10:38:20 +02:00 · 2022-07-18 10:38:20 +02:00 · b76ea12151
parent e82ed5a624
commit b76ea12151
2 changed files with 29 additions and 0 deletions
--- a/scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
+++ b/scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
@ -0,0 +1,27 @@
+From fd1f968504765db0ba5c32ac50058d7a05242343 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 1 Jul 2022 14:35:56 +0200
+Subject: [PATCH] Make rule audit_access_success in OSPP profile unenforcing
+
+Set severity to info and role to unscored, because the rule
+creates an audit rule that creates generating huge amounts
+of audit records generated.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2058154
+---
+ products/rhel9/profiles/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 1fad0031749..8e54ae4281d 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -372,6 +372,8 @@ selections:
+     - audit_modify_success
+     - audit_access_failed
+     - audit_access_success
+    - audit_access_success.severity=info
+    - audit_access_success.role=unscored
+     - audit_delete_failed
+     - audit_delete_success
+     - audit_perm_change_failed
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -25,6 +25,7 @@ BuildRequires:	python%{python3_pkgversion}-PyYAML
 Requires:	xml-common, openscap-scanner >= 1.2.5

 Patch0:                scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
+Patch1:                scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -102,6 +103,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %changelog
 * Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
 - Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
+- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)