audit_rules_file_deletion_events

Shawn Wells Tue, 13 May 2014 21:33:12 -0700

Updating to reflect naming scheme of other audit XCCDF and OVAL

[shawnw@ssg-rhel6-devbox checks]$ grep -rin audit_file_deletions ../
../system/auditing.xml:1203:<Rule id="audit_file_deletions">
../auxiliary/stig_overlay.xml:563:      <overlay owner="disastig" 
ruleid="audit_file_deletions" ownerid="RHEL-06-000200" disa="172" 
severity="low">
../auxiliary/transition_notes.xml:54:<note ref="29240" auth="GG" 
rule="audit_file_deletions">This is covered in RHEL 6 content</note>
../profiles/nist-CL-IL-AL.xml:221:<select idref="audit_file_deletions" 
selected="true" \>
../profiles/CS2.xml:146:<select idref="audit_file_deletions" selected="true"/>
../profiles/CSCF-RHEL6-MLS.xml:23:<select idref="audit_file_deletions" 
selected="true" />
../profiles/C2S.xml:455:<select idref="audit_file_deletions" selected="true" />
../profiles/fisma-medium-rhel6-server.xml:136:<select 
idref="audit_file_deletions" selected="true" />
../profiles/usgcb-rhel6-server.xml:193:<select idref="audit_file_deletions" 
selected="true" />
../profiles/common.xml:147:<select idref="audit_file_deletions" 
selected="true"/>


[shawnw@ssg-rhel6-devbox checks]$ sed -i 
's/audit_file_deletions/audit_rules_file_deletion_events/g' 
../system/auditing.xml ../auxiliary/* ../profiles/*

[shawnw@ssg-rhel6-devbox checks]$ grep -rin audit_file_deletions ../

Signed-off-by: Shawn Wells <[email protected]>
---
 RHEL/6/input/auxiliary/stig_overlay.xml            |    2 +-
 RHEL/6/input/auxiliary/transition_notes.xml        |    2 +-
 RHEL/6/input/profiles/C2S.xml                      |    2 +-
 RHEL/6/input/profiles/CS2.xml                      |    2 +-
 RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml           |    2 +-
 RHEL/6/input/profiles/common.xml                   |    2 +-
 .../6/input/profiles/fisma-medium-rhel6-server.xml |    2 +-
 RHEL/6/input/profiles/nist-CL-IL-AL.xml            |    2 +-
 RHEL/6/input/profiles/usgcb-rhel6-server.xml       |    2 +-
 RHEL/6/input/system/auditing.xml                   |    2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml 
b/RHEL/6/input/auxiliary/stig_overlay.xml
index f45230e..460a5bd 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -560,7 +560,7 @@
                <VMSinfo VKey="38568" SVKey="50369" VRelease="2" />
                <title>The audit system must be configured to audit successful 
file system mounts.</title>
        </overlay>
-       <overlay owner="disastig" ruleid="audit_file_deletions" 
ownerid="RHEL-06-000200" disa="172" severity="low">
+       <overlay owner="disastig" ruleid="audit_rules_file_deletion_events" 
ownerid="RHEL-06-000200" disa="172" severity="low">
                <VMSinfo VKey="38575" SVKey="50376" VRelease="2" />
                <title>The audit system must be configured to audit user 
deletions of files and programs.</title>
        </overlay>
diff --git a/RHEL/6/input/auxiliary/transition_notes.xml 
b/RHEL/6/input/auxiliary/transition_notes.xml
index 8e1c9da..77f8a5f 100644
--- a/RHEL/6/input/auxiliary/transition_notes.xml
+++ b/RHEL/6/input/auxiliary/transition_notes.xml
@@ -51,7 +51,7 @@
 
 <note ref="29241" auth="GG" rule="">This is not covered in RHEL 6 
content</note>
 
-<note ref="29240" auth="GG" rule="audit_file_deletions">This is covered in 
RHEL 6 content</note>
+<note ref="29240" auth="GG" rule="audit_rules_file_deletion_events">This is 
covered in RHEL 6 content</note>
 
 <note ref="29239" auth="GG" rule="audit_file_access">This is covered in RHEL 6 
content</note>
 <note ref="29238" auth="GG" rule="audit_file_access">This is covered in RHEL 6 
content</note>
diff --git a/RHEL/6/input/profiles/C2S.xml b/RHEL/6/input/profiles/C2S.xml
index 6ceff9c..bed6ee4 100644
--- a/RHEL/6/input/profiles/C2S.xml
+++ b/RHEL/6/input/profiles/C2S.xml
@@ -452,7 +452,7 @@ Patches would be most welcome!
 <select idref="audit_media_exports" selected="true" />
 
 <!-- 5.2.14 Collect File Deletion Events by User (Scored) -->
-<select idref="audit_file_deletions" selected="true" />
+<select idref="audit_rules_file_deletion_events" selected="true" />
 
 <!-- 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored) 
-->
 <select idref="audit_sysadmin_actions" selected="true" />
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index bc65366..e8083f6 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -143,7 +143,7 @@
 <select idref="audit_file_access" selected="true"/>
 <select idref="audit_privileged_commands" selected="true"/>
 <select idref="audit_media_exports" selected="true"/>
-<select idref="audit_file_deletions" selected="true"/>
+<select idref="audit_rules_file_deletion_events" selected="true"/>
 
 <select idref="securetty_root_login_console_only" selected="true" />
 <select idref="no_direct_root_logins" selected="true" />
diff --git a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml 
b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml
index f163c87..7b306ee 100644
--- a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml
+++ b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml
@@ -20,7 +20,7 @@ for production deployment.</description>
 <select idref="audit_account_changes" selected="true" />
 <select idref="audit_config_immutable" selected="true" />
 <select idref="audit_file_access" selected="true" />
-<select idref="audit_file_deletions" selected="true" />
+<select idref="audit_rules_file_deletion_events" selected="true" />
 <select idref="audit_kernel_module_loading" selected="true" />
 <select idref="file_permissions_var_log_audit" selected="true" />
 <select idref="audit_logs_rootowner" selected="true" />
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index 85a0097..6d25b48 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -144,7 +144,7 @@
 <select idref="audit_file_access" selected="true"/>
 <select idref="audit_privileged_commands" selected="true"/>
 <select idref="audit_media_exports" selected="true"/>
-<select idref="audit_file_deletions" selected="true"/>
+<select idref="audit_rules_file_deletion_events" selected="true"/>
 <select idref="audit_sysadmin_actions" selected="true"/>
 <select idref="audit_kernel_module_loading" selected="true"/>
 
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml 
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index fe339a4..05c687c 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -133,7 +133,7 @@
 <select idref="audit_file_access" selected="true" />
 <select idref="audit_privileged_commands" selected="true" />
 <select idref="audit_media_exports" selected="true" />
-<select idref="audit_file_deletions" selected="true" />
+<select idref="audit_rules_file_deletion_events" selected="true" />
 <select idref="audit_sysadmin_actions" selected="true" />
 <select idref="audit_kernel_module_loading" selected="true" />
 <refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="0" 
/>
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml 
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index 007b2e0..2d1135c 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -218,7 +218,7 @@ assurance."</description>
 <select idref="audit_file_access" selected="true" \>
 <select idref="audit_privileged_commands" selected="true" \>
 <select idref="audit_media_exports" selected="true" \>
-<select idref="audit_file_deletions" selected="true" \>
+<select idref="audit_rules_file_deletion_events" selected="true" \>
 <select idref="audit_sysadmin_actions" selected="true" \>
 <select idref="audit_kernel_module_loading" selected="true" \>
 <select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" \>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml 
b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 3227b41..1ab8ce5 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -190,7 +190,7 @@
 <select idref="audit_file_access" selected="true" />
 <select idref="audit_privileged_commands" selected="true" />
 <select idref="audit_media_exports" selected="true" />
-<select idref="audit_file_deletions" selected="true" />
+<select idref="audit_rules_file_deletion_events" selected="true" />
 <select idref="audit_sysadmin_actions" selected="true" />
 <select idref="audit_kernel_module_loading" selected="true" />
 <select idref="audit_config_immutable" selected="true" />
diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml
index 6ab1527..b34e41d 100644
--- a/RHEL/6/input/system/auditing.xml
+++ b/RHEL/6/input/system/auditing.xml
@@ -1200,7 +1200,7 @@ loss.</rationale>
 <tested by="DS" on="20121024"/>
 </Rule>
 
-<Rule id="audit_file_deletions">
+<Rule id="audit_rules_file_deletion_events">
 <title>Ensure <tt>auditd</tt> Collects File Deletion Events by User</title>
 <description>At a minimum the audit system should collect file
 deletion events for all users and root. Add the following to
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

[PATCH 4/5] XCCDF/OVAL mismatch, audit_file_deletions --> audit_rules_file_deletion_events

Reply via email to