File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (69 lines) | stat: -rw-r--r-- 2,428 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
documentation_complete: true


title: 'Configure basic parameters of Audit system'

{{% set file_contents_audit_base_config =
"## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1" %}}

description: |-
    Perform basic configuration of Audit system.
    Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.

    The following rules configure audit as described above:
    <pre>{{{ file_contents_audit_base_config|indent }}}    </pre>

    Load new Audit rules into kernel by running:
    <pre>augenrules --load</pre>

rationale: |-
    Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.

severity: medium

identifiers:
    cce@rhel8: CCE-82827-7
    cce@rhel9: CCE-83670-0
    cce@rhel10: CCE-88425-4

references:
    nist: AU-2(a)
    ospp: FAU_GEN.1
    srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220

ocil_clause: 'the file does not exist or the content differs'

ocil: |-
    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
    <pre>cat /etc/audit/rules.d/10-base-config.rules</pre>
    The output has to be exactly as follows:
    <pre>{{{ file_contents_audit_base_config|indent }}}    </pre>

warnings:
    - performance:
        It might happen that Audit buffer configured by this rule is not large
        enough for certain use cases. If that is the case, the buffer size can
        be overridden by placing <pre>-b larger_buffer_size</pre> into a file
        within <tt>/etc/audit/rules.d</tt> directory, replacing
        <tt>larger_file_size</tt> with the desired value. The file name should
        start with a number higher than 10 and lower than 99.


template:
    name: audit_file_contents
    vars:
        filepath: /etc/audit/rules.d/10-base-config.rules
        contents: |+
            {{{ file_contents_audit_base_config|indent(12) }}}
#do not remove this comment, it stops Jinja from including more blank lines to the variable