Fix audit_rules_login_events rules

auditctl rules list output changed for this reason suggested ocil grep doesn't work. Also fixed faillock dir rule to be in sync with audit rules content. Signed-off-by: Ilya Okomin <ilya.okomin@oracle.com>
ComplianceAsCode · Oct 23, 2018 · a46f13b · a46f13b
1 parent 97bcf84
commit a46f13b
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 6 deletions.
diff --git a/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -11,12 +11,12 @@ description: |-
     default), add the following lines to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
-    <pre>-w /var/run/faillock/ -p wa -k logins</pre>
+    <pre>-w /var/run/faillock -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
-    <pre>-w /var/run/faillock/ -p wa -k logins</pre>
+    <pre>-w /var/run/faillock -p wa -k logins</pre>
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -42,4 +42,4 @@ ocil_clause: 'there is not output'
 
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
-    <pre>$ sudo auditctl -l | grep "watch=/var/log/faillock"</pre>
+    <pre>$ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"</pre>
diff --git a/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -42,4 +42,4 @@ ocil_clause: 'there is not output'
 
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
-    <pre>$ sudo auditctl -l | grep "watch=/var/log/lastlog"</pre>
+    <pre>$ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog"</pre>
diff --git a/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
@@ -43,4 +43,4 @@ ocil_clause: 'there is not output'
 
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
-    <pre>$ sudo auditctl -l | grep "watch=/var/log/tallylog"</pre>
+    <pre>$ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog"</pre>
diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv
@@ -1,3 +1,3 @@
-/var/run/faillock/
+/var/run/faillock
 /var/log/lastlog
 /var/log/tallylog