From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Suppress messages from /var/log/audit.log via audit.rules
Date: Tue, 4 Oct 2011 09:18:24 -0400
Message-ID: <201110040918.24551.sgrubb@redhat.com>
References: <F52537DA8635C941B5CB6455ACA1EA581AA2D1813C@chsex02-srv>
	<201109292151.14509.sgrubb@redhat.com>
	<F52537DA8635C941B5CB6455ACA1EA581AA1238BE1@chsex02-srv>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <F52537DA8635C941B5CB6455ACA1EA581AA1238BE1@chsex02-srv>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Worsham, Michael" <mworsham@scires.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Monday, October 03, 2011 10:36:31 PM Worsham, Michael wrote:
> About the rule that=92s 'killing' us (which I totally agree it is), this =
is
> what the stig.rules project says about it (GEN002720):
> =

> 78    ## (GEN002720-GEN002840: CAT II) (Previously G100-G106) The SA will
> 79    ## configure the auditing system to audit the following events for
> all 80    ## users and root:
> 81    ##
> 82    ## - Logon (unsuccessful and successful) and logout (successful)
> 83    ##
> 84    ## Handled by pam, sshd, login, and gdm
> =

> But here is what the latest version of the Unix checklist says the
> vulnerability is, and how to check if its mitigated:
> =

> Unix Checklist v5r1-30 20110729
> 3.2.1.119
> PDI:  GEN002720   =96 Audit Failed File and Program Access Attempts
> PDI Description: The audit system is not configured to audit failed
> attempts to access files and programs. Reference: UNIX STIG: 3.16
> -  Linux

I'll have to double check the numbering. Things may have shifted since I wr=
ote the =

stig.rules file.


>    For LAUS:
>    # grep =93@open-ops=94 /etc/audit/filter.conf
> =

>    For auditd:
>    # grep =93-a exit,always =96S open =96F success=3D0=94 /etc/audit.rules

This would appear that you are using an old stig.rules file. You might want=
 to update =

it.
 =

 =

> The two don=92t seem to jibe as to what the vulnerability is. I=92m not s=
ure
> how login, sshd, etc, can give information about failed attempts to access
> files.

The rules file is listing several requirements which has the rules in-betwe=
en the =

requirements. The first part is to satisfy the logon/off requirements. Fart=
her down is =

the unsuccessful access requirement.

> As to altering the rule, while I=92m sure the results would be much more
> useful and relevant (you can tell DISA=92s thinking is out-of-date by the
> mitigation steps above), my only concern is that it would no longer be
> STIG compliant, or something that would always come up as a finding, that
> we would have to explain each time.

I occassionally chat with the DISA FSO people. The intent is the stig.rules=
 file in the =

audit package is compliant. I think they have altered the auditing requirem=
ents to =

match what is shipped. But you just need to update to a newer version of th=
e file.

-Steve