From ee7e79c24bb83e0607ac598090f121b7aff05b35 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 30 Aug 2018 11:27:07 +0200 Subject: [PATCH 1/2] Remove slash from audit login_events description From audit PoV, it doesn't matter if the trailing slash is there or not. But our check is written so that the slash should no be there. --- .../audit_login_events/audit_rules_login_events/rule.yml | 4 ++-- .../rule_audit_rules_login_events/default.pass.sh | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml index a2bd65fa638..b7fc9754811 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml @@ -10,14 +10,14 @@ description: |- directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins
rationale: |- diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh index 4f81075d4be..dff797667c5 100644 --- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh @@ -3,7 +3,5 @@ # remediation = bash echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules -echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules +echo "-w /var/run/faillock -p wa -k logins" >> /etc/audit/rules.d/logins.rules echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules - -cat /etc/audit/rules.d/logins.rules From b1cf3232ada1787d8c3410e566b2d6ba98bcfc40 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 30 Aug 2018 15:22:09 +0200 Subject: [PATCH 2/2] audit_rules_login_events rename default fail scenario to empty fail --- .../{default.fail.sh => empty.fail.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/{default.fail.sh => empty.fail.sh} (100%) diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/empty.fail.sh similarity index 100% rename from tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh rename to tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/empty.fail.sh