For some reason the guidance no longer is auditing for use of rmdir command, though I don't remember why.
Updated XCCDF and OVAL to add rmdir, posting to mailing list as RFC to get comments on if this should be added in. Signed-off-by: Shawn Wells <[email protected]> --- .../checks/audit_rules_file_deletion_events.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RHEL/6/input/checks/audit_rules_file_deletion_events.xml b/RHEL/6/input/checks/audit_rules_file_deletion_events.xml index d561201..86b3e1b 100644 --- a/RHEL/6/input/checks/audit_rules_file_deletion_events.xml +++ b/RHEL/6/input/checks/audit_rules_file_deletion_events.xml @@ -17,7 +17,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_audit_rules_file_deletion_events" version="1"> <ind:filepath>/etc/audit/audit.rules</ind:filepath> - <ind:pattern operation="pattern match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern> + <ind:pattern operation="pattern match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+rmdir\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index b34e41d..3ac27e6 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1206,7 +1206,7 @@ loss.</rationale> deletion events for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as appropriate for your system: -<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> +<pre>-a always,exit -F arch=ARCH S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
