scap-security-guide/SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch
2021-09-10 04:19:00 +00:00

242 lines
11 KiB
Diff

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
new file mode 100644
index 0000000000..4f88ed361d
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+
+{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
+ parameter="overflow_action",
+ value="syslog",
+ separator="=",
+ separator_regex="=",
+ prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
new file mode 100644
index 0000000000..539b9b6582
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{set_config_file(path="/etc/audit/auditd.conf",
+ parameter="overflow_action",
+ value="syslog",
+ separator="=",
+ separator_regex="=",
+ prefix_regex="^\s*")}}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
new file mode 100644
index 0000000000..fd45280e4e
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
@@ -0,0 +1,6 @@
+{{{ oval_check_config_file(
+ path="/etc/audit/auditd.conf",
+ prefix_regex="^(?:.*\\n)*\s*",
+ parameter="overflow_action",
+ value="syslog|single|halt",
+ separator_regex="\s*=\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
new file mode 100644
index 0000000000..d41ca00076
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+description: |-
+ The audit system should have an action setup in the event the internal event queue becomes full.
+ To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>
+ to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.
+
+
+rationale: |-
+ The audit system should have an action setup in the event the internal event queue becomes full
+ so that no data is lost.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85889-4
+
+references:
+ disa: CCI-001851
+ nist: AU-4(1)
+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+ stigid@rhel8: RHEL-08-030700
+
+ocil_clause: 'auditd overflow action is not setup correctly'
+
+ocil: |-
+ Verify the audit system is configured to take an appropriate action when the internal event queue is full:
+ <pre>$ sudo grep -i overflow_action /etc/audit/auditd.conf</pre>
+
+ The output should contain be like <tt>overflow_action = syslog</tt>
+
+ If the value of the "overflow_action" option is not set to <tt>syslog</tt>,
+ <tt>single</tt>, <tt>halt</tt> or the line is commented out, ask the System Administrator
+ to indicate how the audit logs are off-loaded to a different system or media.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
new file mode 100644
index 0000000000..ec7525b195
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "# overflow_action = syslog" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
new file mode 100644
index 0000000000..e4d173ab37
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+if [[ -f $config_file ]]; then
+ echo '' > $config_file
+fi
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
new file mode 100644
index 0000000000..f26cd7cddf
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+config_file=/etc/audit/auditd.conf
+
+if [[ -f $config_file ]]; then
+ rm -f $config_file
+fi
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
new file mode 100644
index 0000000000..0ec591b25b
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = halt" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
new file mode 100644
index 0000000000..236ad543fe
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = ignore" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
new file mode 100644
index 0000000000..74efdcafee
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+config_file=/etc/audit/auditd.conf
+sed -i "s/^.*overflow_action.*$//" $config_file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
new file mode 100644
index 0000000000..de11126320
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Use this script to ensure the audit directory structure and audit conf file
+# exist in the test env.
+config_file=/etc/audit/auditd.conf
+
+# Ensure directory structure exists (useful for container based testing)
+test -d /etc/audit/ || mkdir -p /etc/audit/
+
+test -f $config_file || touch $config_file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
new file mode 100644
index 0000000000..f9fa7a935c
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = single" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
new file mode 100644
index 0000000000..1c625fb752
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = syslog" >> /etc/audit/auditd.conf
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6372d13cfc..5cac78e00d 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -826,6 +826,7 @@ selections:
- rsyslog_remote_loghost
# RHEL-08-030700
+ - auditd_overflow_action
# RHEL-08-030710
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 24e8149168..b3d9596e1f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -27,7 +27,6 @@ CCE-85885-2
CCE-85886-0
CCE-85887-8
CCE-85888-6
-CCE-85889-4
CCE-85890-2
CCE-85891-0
CCE-85892-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 32f1a24a7a..c9d23ed1dc 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -73,6 +73,7 @@ selections:
- auditd_local_events
- auditd_log_format
- auditd_name_format
+- auditd_overflow_action
- banner_etc_issue
- bios_enable_execution_restrictions
- chronyd_client_only
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d6a27c67dc..7303145141 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -84,6 +84,7 @@ selections:
- auditd_local_events
- auditd_log_format
- auditd_name_format
+- auditd_overflow_action
- banner_etc_issue
- bios_enable_execution_restrictions
- chronyd_client_only