content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Missing Audit Rules in RHEL7 STIG Profile

Open 1Plitt opened this issue 4 years ago • 1 comments

Description of problem:

Audit rules for kmod and create_module are missing from the RHEL7 STIG Content. I understand that other audit rules from the STIG profile have intentionally been left out for varying reasons, however I could not find a justification for the following missing rules.

kmod rule: -w /usr/bin/kmod -p x -F auid!=unset -k module-change

create_module rules: -a always,exit -F arch=b32 -S create_module -k module-change -a always,exit -F arch=b64 -S create_module -k module-change

SCAP Security Guide Version:

scap-security-guide-0.1.52-2.el7_9.noarch

Operating System Version:

Red Hat Enterprise Linux Server release 7.9 (Maipo)

Steps to Reproduce:

  1. Run scap-workbench with RHEL7 content
  2. Load STIG Profile
  3. Scan

Actual Results:

No scan results for kmod or create_module audit rules

Expected Results:

scan should identify missing audit rules and generate remediation role.

Additional Information/Debugging Steps:

1Plitt avatar Mar 29 '21 15:03 1Plitt

kmod rule was introduced fairly recent to the project: audit_rules_privileged_commands_kmod and it focuses mainly in SLE products, so there is some work to be done before adding it to the RHEL7 profile.

create_module rule doesn't exist at this moment but it should be easy to implement using one of the available templates: https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#available-templates

ggbecker avatar Apr 06 '21 12:04 ggbecker

This issue is addressed by merged PRs #9338 and #9320

lenox-joseph avatar Aug 25 '22 16:08 lenox-joseph