Re: Suppress messages from /var/log/audit.log via audit.rules

[Steve Grubb <sgrubb@redhat.com>]

On Monday, October 03, 2011 10:36:31 PM Worsham, Michael wrote:
> About the rule that’s 'killing' us (which I totally agree it is), this is
> what the stig.rules project says about it (GEN002720):
> 
> 78    ## (GEN002720-GEN002840: CAT II) (Previously G100-G106) The SA will
> 79    ## configure the auditing system to audit the following events for
> all 80    ## users and root:
> 81    ##
> 82    ## - Logon (unsuccessful and successful) and logout (successful)
> 83    ##
> 84    ## Handled by pam, sshd, login, and gdm
> 
> But here is what the latest version of the Unix checklist says the
> vulnerability is, and how to check if its mitigated:
> 
> Unix Checklist v5r1-30 20110729
> 3.2.1.119
> PDI:  GEN002720   – Audit Failed File and Program Access Attempts
> PDI Description: The audit system is not configured to audit failed
> attempts to access files and programs. Reference: UNIX STIG: 3.16
> -  Linux

I'll have to double check the numbering. Things may have shifted since I wrote the 
stig.rules file.


>    For LAUS:
>    # grep “@open-ops” /etc/audit/filter.conf
> 
>    For auditd:
>    # grep “-a exit,always –S open –F success=0” /etc/audit.rules

This would appear that you are using an old stig.rules file. You might want to update 
it.
 
 
> The two don’t seem to jibe as to what the vulnerability is. I’m not sure
> how login, sshd, etc, can give information about failed attempts to access
> files.

The rules file is listing several requirements which has the rules in-between the 
requirements. The first part is to satisfy the logon/off requirements. Farther down is 
the unsuccessful access requirement.

> As to altering the rule, while I’m sure the results would be much more
> useful and relevant (you can tell DISA’s thinking is out-of-date by the
> mitigation steps above), my only concern is that it would no longer be
> STIG compliant, or something that would always come up as a finding, that
> we would have to explain each time.

I occassionally chat with the DISA FSO people. The intent is the stig.rules file in the 
audit package is compliant. I think they have altered the auditing requirements to 
match what is shipped. But you just need to update to a newer version of the file.

-Steve