From d351fc8e86714b4a467cbb9de54fef8a031617f1 Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Mon, 2 Sep 2024 11:27:05 +0200
Subject: [PATCH 1/2] Updates related to the rule
 permissions_local_var_log_audit

---
 controls/stig_slmicro5.yml                    |  5 ++-
 .../permissions_local_var_log_audit/rule.yml  | 39 ++++++++++++++++++-
 shared/references/cce-slmicro5-avail.txt      |  1 -
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index e30d976365d..87e14b2c75e 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -1441,8 +1441,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must protect audit rules from unauthorized modification.
-      rules: []
-      status: pending
+      rules: 
+          - permissions_local_var_log_audit
+      status: automated
     
     - id: SLEM-05-653055
       levels:
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
index fa64e47f1d5..7b91586a4c5 100644
--- a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
@@ -5,7 +5,7 @@ title: 'Verify that Local Logs of the audit Daemon are not World-Readable'
 
 description: |-
     Files containing sensitive informations should be protected by restrictive
-    permissions. Most of the time, there is no need that these files need to bei
+    permissions. Most of the time, there is no need that these files need to be
     read by any non-root user.
 
     Check that "permissions.local" file contains the correct permissions rules with the following command:
@@ -17,6 +17,14 @@ description: |-
     /etc/audit/audit.rules root:root 640
     /etc/audit/rules.d/audit.rules root:root 640</pre>
 
+    {{% if slmicro in product %}}
+    Check that all of the audit information files and folders have the correct permissions with the following command:
+    <pre>$ sudo chkstat /etc/permissions.local</pre>
+
+    If the command returns any output, this is a finding.
+    {{% endif %}}
+
+
 rationale: |-
     Without the capability to restrict which roles and individuals can select
     which events are audited, unauthorized personnel may be able to prevent the
@@ -30,6 +38,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83117-2
     cce@sle15: CCE-85607-0
+    cce@slmicro5: CCE-93776-3
 
 references:
     disa: CCI-000164
@@ -39,6 +48,33 @@ references:
     stigid@sle15: SLES-15-030600
 
 ocil: |-
+    {{% if slmicro in product %}}
+
+    Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+    <pre># grep -i audit /etc/permissions.local
+
+    /var/log/audit/ root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640</pre>
+
+    Check that all of the audit information files and folders have the correct permissions with the following command:
+    <pre>$ sudo chkstat /etc/permissions.local</pre>
+
+    If the command returns any output, this is a finding.
+
+    Add or modify the following lines in "/etc/permissions.local":
+    <pre>
+    /var/log/audit root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640
+    </pre>
+
+    Set the correct permissions with the following command:
+    <pre>$sudo chkstat --set /etc/permissions.local </pre>
+    {{% else %}}
     Check that <tt>permissions.local</tt> file contains the correct permissionsi
     rules with the following command:
 
@@ -56,3 +92,4 @@ ocil: |-
     entries:
 
     <pre># sudo chkstat --set --system</pre>
+    {{% endif %}}
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
index 952d091a3ba..fb536ad5714 100644
--- a/shared/references/cce-slmicro5-avail.txt
+++ b/shared/references/cce-slmicro5-avail.txt
@@ -20,7 +20,6 @@ CCE-93764-9
 CCE-93765-6
 CCE-93766-4
 CCE-93767-2
-CCE-93776-3
 CCE-93777-1
 CCE-93783-9
 CCE-93789-6

From fd5b5853b6e775cc56f3439353bb1548fac8a2b1 Mon Sep 17 00:00:00 2001
From: Rumen <77793453+rumch-se@users.noreply.github.com>
Date: Mon, 2 Sep 2024 12:19:35 +0200
Subject: [PATCH 2/2] Update rule.yml

Fix of wrong "if" syntax
---
 .../permissions_local_var_log_audit/rule.yml                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
index 7b91586a4c5..0e2d1ac8a21 100644
--- a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
@@ -17,7 +17,7 @@ description: |-
     /etc/audit/audit.rules root:root 640
     /etc/audit/rules.d/audit.rules root:root 640</pre>
 
-    {{% if slmicro in product %}}
+    {{% if product in slmicro %}}
     Check that all of the audit information files and folders have the correct permissions with the following command:
     <pre>$ sudo chkstat /etc/permissions.local</pre>
 
@@ -48,7 +48,7 @@ references:
     stigid@sle15: SLES-15-030600
 
 ocil: |-
-    {{% if slmicro in product %}}
+    {{% if product in slmicro %}}
 
     Check that "permissions.local" file contains the correct permissions rules with the following command: