Skip to content
ATO Pathways
  Log In

Configure audit according to OSPP requirements

An XCCDF Rule

Description

Configure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1. Audit defines groups of rules in /usr/share/doc/audit/rules to satisfy specific policies. To fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary:

  • /usr/share/doc/audit/rules/10-base-config.rules
  • /usr/share/doc/audit/rules/11-loginuid.rules
  • /usr/share/doc/audit/rules/30-ospp-v42.rules
  • /usr/share/doc/audit/rules/43-module-load.rules
Copy the files from /usr/share/doc/audit/rules to /etc/audit/rules.d: 
cp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/

warning alert: Performance Warning

It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing 
-b larger_buffer_size
into a file within /etc/audit/rules.d directory, replacing larger_file_size with the desired value. The file name should start with a number higher than 10 and lower than 99.

Rationale

The audit rules defined in /usr/share/doc/audit/rules are the recommended way to meet compliance with OSPP v4.2.1.

ID
xccdf_org.ssgproject.content_rule_audit_rules_for_ospp
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d
cp /usr/share/doc/audit*/rules/11-loginuid.rules /etc/audit/rules.d
cp /usr/share/doc/audit*/rules/30-ospp-v42.rules /etc/audit/rules.d