Issue

What were you trying to do that didn't work? CIS profile enforces that aide configuration contains the following: /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 See 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools in official documentation CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0.pdf and {{5.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools}} in official documentation CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v3.0.0.pdf. It appears that the implementation we have enforces /usr/sbin/ instead of /sbin/, e.g. oval check: 38 <ind:pattern operation="pattern match">^\/usr\/sbin\/auditctl\s+([^\n]+)$</ind:pattern> and bash remediation: 9 {{% set auditfiles = [ 10 "/usr/sbin/auditctl", 11 "/usr/sbin/auditd", 12 "/usr/sbin/ausearch", 13 "/usr/sbin/aureport", 14 "/usr/sbin/autrace", 15 "/usr/sbin/augenrules" ] %}} I think we need to stick to the official documentation. Please provide the package NVR for which bug is seen: scap-security-guide on RHEL8, RHEL9 and Upstream project How reproducible: N/A

Release Notes

No. of Comments

Resolution

Done