From: Leland Steinke <[email protected]> - Update VRelease key - Add OCIL for unlinkat, renameat - Update grep regex from 'grep' to 'grep -w'
Signed-off-by: Leland Steinke <[email protected]> --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 2e922d1..bc540d6 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -569,7 +569,7 @@ <title>The audit system must be configured to audit successful file system mounts.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_file_deletion_events" ownerid="RHEL-06-000200" disa="172" severity="low"> - <VMSinfo VKey="38575" SVKey="50376" VRelease="2" /> + <VMSinfo VKey="38575" SVKey="50376" VRelease="3" /> <title>The audit system must be configured to audit user deletions of files and programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_sysadmin_actions" ownerid="RHEL-06-000201" disa="172" severity="low"> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index e25f890..6c9f696 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1210,7 +1210,9 @@ appropriate for your system: </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> +<audit-syscall-check-macro syscall="unlinkat" /> <audit-syscall-check-macro syscall="rename" /> +<audit-syscall-check-macro syscall="renameat" /> </ocil> <rationale>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting -- 1.7.1 -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
