Configure audit according to OSPP requirements

An XCCDF Rule

Description

Configure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1. Audit defines groups of rules in /usr/share/doc/audit/rules to satisfy specific policies. To fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary:

/usr/share/doc/audit/rules/10-base-config.rules
/usr/share/doc/audit/rules/11-loginuid.rules
/usr/share/doc/audit/rules/30-ospp-v42.rules
/usr/share/doc/audit/rules/43-module-load.rules

Copy the files from /usr/share/doc/audit/rules to /etc/audit/rules.d:

cp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/

warning alert: Performance Warning

It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing

-b larger_buffer_size

into a file within /etc/audit/rules.d directory, replacing larger_file_size with the desired value. The file name should start with a number higher than 10 and lower than 99.

Rationale

The audit rules defined in /usr/share/doc/audit/rules are the recommended way to meet compliance with OSPP v4.2.1.

ID: xccdf_org.ssgproject.content_rule_audit_rules_for_ospp
Severity: Medium
References: NONE

FAU_GEN.1.1.c

SRG-OS-000004-GPOS-00004 SRG-OS-000064-GPOS-00033 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000327-GPOS-00127 SRG-OS-000365-GPOS-00152 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222
Updated: about 1 year ago