Skip to content
ATO Pathways
  Log In

Remove Default Configuration to Disable Syscall Auditing

An XCCDF Rule

Description

By default, SUSE Linux Enterprise Micro 5 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: 

-a task,never

Rationale

Audit rules for syscalls do not take effect unless this line is removed.

ID
xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-93739-1
  - DISA-STIG-SLEM-05-654245

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel-default; then

if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
    IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service)