Issue
What were you trying to do that didn't work?
CIS profile enforces that aide configuration contains the following:
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
See 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools in official documentation CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0.pdf
and
{{5.3.3 Ensure cryptographic mechanisms are used to protect the
integrity of audit tools}} in official documentation CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v3.0.0.pdf.
It appears that the implementation we have enforces /usr/sbin/ instead of /sbin/, e.g. oval check:
38
<ind:pattern operation="pattern match">^\/usr\/sbin\/auditctl\s+([^\n]+)$</ind:pattern>
and bash remediation:
9 {{% set auditfiles = [
10
"/usr/sbin/auditctl",
11
"/usr/sbin/auditd",
12
"/usr/sbin/ausearch",
13
"/usr/sbin/aureport",
14
"/usr/sbin/autrace",
15
"/usr/sbin/augenrules" ] %}}
I think we need to stick to the official documentation.
Please provide the package NVR for which bug is seen:
scap-security-guide on RHEL8, RHEL9 and Upstream project
How reproducible:
N/A
