Hello, I would discuss this with the people working on Audit. Adding them into the conversation.
Regards, Matus Marhefka On Fri, Aug 31, 2018 at 9:25 PM, Shawn Wells <[email protected]> wrote: > Received an interesting question from a colleague today. > > The various STIG requirements have full paths for auditing, e.g. for > /usr/bin/chage: > > https://rhel7stig.readthedocs.io/en/latest/medium.html#v- > 72155-all-uses-of-the-chage-command-must-be-audited-rhel-07-030660 > > Which call for an audit rule similar to: > > -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F > auid!=4294967295 -k privileged-passwd > > > However, on a container platform (e.g. OpenShift), the root user on nodes > can execute chage in its own */usr/bin/* as well as within all the > containers */var/lib/docker/*<UUID>/bin/chage. > > What's the best way to capture this in OVAL rules? Was thinking updating > the regex on path to include the full-path > (/usr/bin/chage|/var/lib/docker/*/bin/chage).... > but not sure if that's a standard path that would work for non-OpenShift > platforms. > > +cc Jeff Pullen who asked the question. Jeff... note this is a *public* > mailing list ;) > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/scap- > [email protected] > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
