>From 666565b32f05bf1424e22216149d3fa5d5f85b12 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sat, 28 Sep 2013 20:13:02 -0400
Subject: [PATCH 8/8] OVAL signoff auditd_data_retention_action_mail_acct
[root@SSG-RHEL6 checks]# ./testcheck.py
auditd_data_retention_action_mail_acct.xml
external_variable with id : var_auditd_action_mail_acct
Evaluating with OVAL tempfile :
/tmp/auditd_data_retention_action_mail_acct4HHdiP.xml
Writing results to :
/tmp/auditd_data_retention_action_mail_acct4HHdiP.xml-results
Definition oval:scap-security-guide.testing:def:335: true
Evaluation done.
[root@SSG-RHEL6 checks]# grep action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root
[root@SSG-RHEL6 checks]# sed -i 's/action_mail_acct = root/action_mail_acct =
fail/g' /etc/audit/auditd.conf
[root@SSG-RHEL6 checks]# grep action_mail_acct /etc/audit/auditd.conf
action_mail_acct = fail
[root@SSG-RHEL6 checks]# ./testcheck.py
auditd_data_retention_action_mail_acct.xml
external_variable with id : var_auditd_action_mail_acct
Evaluating with OVAL tempfile :
/tmp/auditd_data_retention_action_mail_acctTYheVO.xml
Writing results to :
/tmp/auditd_data_retention_action_mail_acctTYheVO.xml-results
Definition oval:scap-security-guide.testing:def:335: false
Evaluation done.
---
RHEL6/input/auxiliary/stig_overlay.xml | 2 +-
.../auditd_data_retention_action_mail_acct.xml | 3 ---
RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL6/input/profiles/stig-rhel6-server.xml | 2 +-
RHEL6/input/profiles/test.xml | 2 +-
RHEL6/input/system/auditing.xml | 2 +-
7 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/RHEL6/input/auxiliary/stig_overlay.xml
b/RHEL6/input/auxiliary/stig_overlay.xml
index 072376b..b65c320 100644
--- a/RHEL6/input/auxiliary/stig_overlay.xml
+++ b/RHEL6/input/auxiliary/stig_overlay.xml
@@ -696,7 +696,7 @@
<overlay owner="disastig" ruleid="143" ownerid="RHEL-06-000311"
disa="143" severity="medium">
<title>The audit system must provide a warning when allocated
audit record storage volume reaches a documented percentage of maximum audit
record storage capacity.</title>
</overlay>
- <overlay owner="disastig" ruleid="configure_auditd_action_mail_acct"
ownerid="RHEL-06-000313" disa="139" severity="medium">
+ <overlay owner="disastig"
ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-06-000313"
disa="139" severity="medium">
<title>The audit system must identify staff members to receive
notifications of audit log storage volume capacity issues.</title>
</overlay>
<overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled"
ownerid="RHEL-06-000315" disa="85" severity="medium">
diff --git a/RHEL6/input/checks/auditd_data_retention_action_mail_acct.xml
b/RHEL6/input/checks/auditd_data_retention_action_mail_acct.xml
index 609460f..99ce48f 100644
--- a/RHEL6/input/checks/auditd_data_retention_action_mail_acct.xml
+++ b/RHEL6/input/checks/auditd_data_retention_action_mail_acct.xml
@@ -7,11 +7,9 @@
</affected>
<description>action_mail_acct setting in /etc/audit/auditd.conf is set
to a certain account</description>
</metadata>
-
<criteria>
<criterion comment="action_mail_acct setting in auditd.conf"
test_ref="test_auditd_data_retention_action_mail_acct" />
</criteria>
-
</definition>
<ind:textfilecontent54_test check="all" comment="email account for actions"
id="test_auditd_data_retention_action_mail_acct" version="1">
@@ -31,5 +29,4 @@
<external_variable comment="audit action_mail_acct setting"
datatype="string" id="var_auditd_action_mail_acct" version="1" />
-
</def-group>
diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
index 6e6d7bd..9b6da2d 100644
--- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
@@ -196,7 +196,7 @@
<select idref="auditd_data_retention_space_left_action" selected="true" />
<refine-value idref="var_auditd_admin_space_left_action" selector="halt" />
<select idref="auditd_data_retention_admin_space_left_action" selected="true"
/>
-<select idref="configure_auditd_action_mail_acct" selected="true" />
+<select idref="auditd_data_retention_action_mail_acct" selected="true" />
<select idref="configure_auditd_audispd" selected="true" />
<!-- AU-4 -->
diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml
b/RHEL6/input/profiles/nist-CL-IL-AL.xml
index bb920f6..4b1601f 100644
--- a/RHEL6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml
@@ -269,7 +269,7 @@ assurance."</description>
<select idref="configure_auditd_max_log_file_action" selected="true" \>
<select idref="auditd_data_retention_space_left_action" selected="true" \>
<select idref="auditd_data_retention_admin_space_left_action" selected="true"
\>
-<select idref="configure_auditd_action_mail_acct" selected="true" \>
+<select idref="auditd_data_retention_action_mail_acct" selected="true" \>
<select idref="configure_auditd_audispd" selected="true" \>
<!-- AU-3(1): THIS NEEDS FURTHER REVIEW ON ADDITIONAL
diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml
b/RHEL6/input/profiles/stig-rhel6-server.xml
index 6c7783a..7798bad 100644
--- a/RHEL6/input/profiles/stig-rhel6-server.xml
+++ b/RHEL6/input/profiles/stig-rhel6-server.xml
@@ -37,7 +37,7 @@
<select idref="disable_users_coredumps" selected="true"/>
<select idref="no_insecure_locks_exports" selected="true" />
<select idref="auditd_data_retention_space_left_action" selected="true" />
-<select idref="configure_auditd_action_mail_acct" selected="true" />
+<select idref="auditd_data_retention_action_mail_acct" selected="true" />
<select idref="kernel_module_bluetooth_disabled" selected="true"/>
<select idref="kernel_module_usb-storage_disabled" selected="true"/>
diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml
index e44fdac..21b5131 100644
--- a/RHEL6/input/profiles/test.xml
+++ b/RHEL6/input/profiles/test.xml
@@ -31,7 +31,7 @@
<select idref="configure_auditd_num_logs" selected="true"/>
<select idref="configure_auditd_max_log_file" selected="true"/>
-<select idref="configure_auditd_action_mail_acct" selected="true"/>
+<select idref="auditd_data_retention_action_mail_acct" selected="true"/>
<select idref="auditd_data_retention_space_left_action" selected="true"/>
<select idref="auditd_data_retention_admin_space_left_action" selected="true"/>
<select idref="configure_auditd_max_log_file_action" selected="true"/>
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index fcf2a06..16585ba 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -394,7 +394,7 @@ is used, running low on space for audit records should
never occur.
<tested by="DS" on="20121024"/>
</Rule>
-<Rule id="configure_auditd_action_mail_acct" severity="medium">
+<Rule id="auditd_data_retention_action_mail_acct" severity="medium">
<title>Configure auditd mail_acct Action on Low Disk Space</title>
<description>The <tt>auditd</tt> service can be configured to send email to
a designated account in certain situations. Add or correct the following line
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
