diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 34c37c91f3b..67698080b6e 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -1022,6 +1022,7 @@ controls: - audit_rules_login_events_tallylog - audit_rules_privileged_commands_umount - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_privileged_commands_crontab - audit_rules_execution_setsebool - audit_rules_etc_group_open_by_handle_at @@ -2553,6 +2554,7 @@ controls: - audit_rules_execution_semanage - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage @@ -3541,6 +3543,7 @@ controls: - audit_rules_execution_semanage - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage @@ -5077,6 +5080,7 @@ controls: - sysctl_net_ipv4_conf_default_rp_filter - audit_rules_unsuccessful_file_modification_chmod - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat - audit_rules_privileged_commands_chage diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml new file mode 100644 index 00000000000..77dda8f5fe7 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/ocp4/e2e.yaml @@ -0,0 +1,2 @@ +default_result: FAIL +result_after_remediation: PASS diff --git a/products/rhcos4/profiles/e8.profile b/products/rhcos4/profiles/e8.profile index f9593544678..55f4cc40af7 100644 --- a/products/rhcos4/profiles/e8.profile +++ b/products/rhcos4/profiles/e8.profile @@ -51,6 +51,7 @@ selections: - auditd_name_format - audit_rules_login_events_tallylog - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_login_events_lastlog - audit_rules_login_events - audit_rules_time_adjtimex diff --git a/products/rhcos4/profiles/stig-v1r1.profile b/products/rhcos4/profiles/stig-v1r1.profile index 951db16d932..0a851bd6cbb 100644 --- a/products/rhcos4/profiles/stig-v1r1.profile +++ b/products/rhcos4/profiles/stig-v1r1.profile @@ -21,6 +21,7 @@ selections: - var_sshd_set_keepalive=0 - var_selinux_policy_name=targeted - var_selinux_state=enforcing + - var_accounts_passwords_pam_faillock_dir=run # Let's mark the vsyscall argument as info - the check and the fix is there, but setting this # karg is not suitable for people who still run legacy 32bit apps. - coreos_vsyscall_kernel_argument.role=unscored diff --git a/shared/templates/audit_rules_login_events/kubernetes.template b/shared/templates/audit_rules_login_events/kubernetes.template index 6c67a6aff74..59b61d361e2 100644 --- a/shared/templates/audit_rules_login_events/kubernetes.template +++ b/shared/templates/audit_rules_login_events/kubernetes.template @@ -12,7 +12,11 @@ spec: storage: files: - contents: +{{% if PATH_IS_VARIABLE %}} + source: data:,-w%20{{ {{{ url_encode("{{.var_accounts_passwords_pam_faillock_dir}}") }}} }}%20-p%20wa%20-k%20logins%0A +{{% else %}} source: data:,-w%20{{{ PATH }}}%20-p%20wa%20-k%20logins%0A +{{% endif %}} mode: 0644 - path: /etc/audit/rules.d/75-{{{ NAME }}}_login_events.rules + path: /etc/audit/rules.d/75-{{{ rule_id }}}.rules overwrite: true