Merge pull request ComplianceAsCode#12356 from rumch-se/update_permis…

…sions_local_var_log_audit_for_slem Updates related to the rule permissions_local_var_log_audit
rumch-se · Sep 2, 2024 · d391d4c · d391d4c
2 parents 0e3e668 + fd5b585
commit d391d4c
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 4 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -1441,8 +1441,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must protect audit rules from unauthorized modification.
-      rules: []
-      status: pending
+      rules: 
+          - permissions_local_var_log_audit
+      status: automated
 
     - id: SLEM-05-653055
       levels:

diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
@@ -5,7 +5,7 @@ title: 'Verify that Local Logs of the audit Daemon are not World-Readable'
 
 description: |-
     Files containing sensitive informations should be protected by restrictive
-    permissions. Most of the time, there is no need that these files need to bei
+    permissions. Most of the time, there is no need that these files need to be
     read by any non-root user.
 
     Check that "permissions.local" file contains the correct permissions rules with the following command:
@@ -17,6 +17,14 @@ description: |-
     /etc/audit/audit.rules root:root 640
     /etc/audit/rules.d/audit.rules root:root 640</pre>
 
+    {{% if product in slmicro %}}
+    Check that all of the audit information files and folders have the correct permissions with the following command:
+    <pre>$ sudo chkstat /etc/permissions.local</pre>
+
+    If the command returns any output, this is a finding.
+    {{% endif %}}
+
+
 rationale: |-
     Without the capability to restrict which roles and individuals can select
     which events are audited, unauthorized personnel may be able to prevent the
@@ -30,6 +38,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83117-2
     cce@sle15: CCE-85607-0
+    cce@slmicro5: CCE-93776-3
 
 references:
     disa: CCI-000164
@@ -39,6 +48,33 @@ references:
     stigid@sle15: SLES-15-030600
 
 ocil: |-
+    {{% if product in slmicro %}}
+
+    Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+    <pre># grep -i audit /etc/permissions.local
+
+    /var/log/audit/ root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640</pre>
+
+    Check that all of the audit information files and folders have the correct permissions with the following command:
+    <pre>$ sudo chkstat /etc/permissions.local</pre>
+
+    If the command returns any output, this is a finding.
+
+    Add or modify the following lines in "/etc/permissions.local":
+    <pre>
+    /var/log/audit root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640
+    </pre>
+
+    Set the correct permissions with the following command:
+    <pre>$sudo chkstat --set /etc/permissions.local </pre>
+    {{% else %}}
     Check that <tt>permissions.local</tt> file contains the correct permissionsi
     rules with the following command:
 
@@ -56,3 +92,4 @@ ocil: |-
     entries:
 
     <pre># sudo chkstat --set --system</pre>
+    {{% endif %}}
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -20,7 +20,6 @@ CCE-93764-9
 CCE-93765-6
 CCE-93766-4
 CCE-93767-2
-CCE-93776-3
 CCE-93777-1
 CCE-93783-9
 CCE-93789-6