Skip to content

Remove Default Configuration to Disable Syscall Auditing

An XCCDF Rule

Description

By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:

-a task,never

Rationale

Audit rules for syscalls do not take effect unless this line is removed.

ID
xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
    IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service)


Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-85706-0
  - DISA-STIG-SLES-15-030820