Description of problem:
This rule is looking for /usr/sbin/audispd in file /etc/aide/aide.conf on Ubuntu 22.04 but this program does not exists anymore.
SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
- On the target Ubuntu 22.04 LTS VM, configure /etc/aide/aide.conf to have:
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
- ./build_product ubuntu2204
copy the datastream to a UBUNTU 22.04 LTS VM
- scp build/ssg-ubuntu2204-ds.xml root@ubuntu2204:
- oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools ssg-ubuntu2204-ds.xml
Actual Results:
Title Configure AIDE to Verify the Audit Tools
Rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result fail
Expected Results:
Result pass
Additional Information/Debugging Steps:
In the CIS guide CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.pdf, the process audispd is never mentioned and this process was also removed from the auditd package.
File product_properties/10-aide-audit.yml contains:
default:
aide_also_checks_rsyslog: "yes"
aide_also_checks_audispd: "no"
overrides:
{{% if "rhel-like" not in families %}}
aide_also_checks_rsyslog: "no"
aide_also_checks_audispd: "yes"
{{% endif %}}
aide_also_checks_audispd setting is wrong for Debian > 10 or Ubuntu > 20.04, where this executable do not exists anymore, then extra checks should be included inside this file:
diff --git a/product_properties/10-aide-audit.yml b/product_properties/10-aide-audit.yml
index 6f2f601664..c185363c58 100644
--- a/product_properties/10-aide-audit.yml
+++ b/product_properties/10-aide-audit.yml
@@ -7,3 +7,19 @@ overrides:
aide_also_checks_rsyslog: "no"
aide_also_checks_audispd: "yes"
{{% endif %}}
+
+{{% if "debian-like" in families %}}
+ {{% if "debian" in families %}}
+ {{% if major_version_ordinal <= 10 %}}
+ aide_also_checks_audispd: "yes"
+ {{% else %}}
+ aide_also_checks_audispd: "no"
+ {{% endif %}}
+ {{% elif "ubuntu" in families %}}
+ {{% if major_version_ordinal <= 2004 %}}
+ aide_also_checks_audispd: "yes"
+ {{% else %}}
+ aide_also_checks_audispd: "no"
+ {{% endif %}}
+ {{% endif %}}
+{{% endif %}}
I will create a PR for this.
Description of problem:
This rule is looking for /usr/sbin/audispd in file /etc/aide/aide.conf on Ubuntu 22.04 but this program does not exists anymore.
SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
copy the datastream to a UBUNTU 22.04 LTS VM
Actual Results:
Expected Results:
Result passAdditional Information/Debugging Steps:
In the CIS guide CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.pdf, the process audispd is never mentioned and this process was also removed from the auditd package.
File
product_properties/10-aide-audit.ymlcontains:aide_also_checks_audispd setting is wrong for Debian > 10 or Ubuntu > 20.04, where this executable do not exists anymore, then extra checks should be included inside this file:
I will create a PR for this.