CIS 5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enable does not account for extra characters on line
ssarkar9 opened this issue · 3 comments
Describe the Issue
GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 pti=on page_poison=1 vsyscall=none" is a sample line.
Expected Behavior
Audit for the process prior to start of auditd should pass.
Actual Behavior
This is actually showing up as failed.
Control(s) Affected
What controls are being affected by the issue
CIS 5.2.1.2
Environment (please complete the following information):
- branch being used: [e.g. devel] devel
- Ansible Version: [e.g. 2.10] ansible [core 2.15.5]
- Host Python Version: [e.g. Python 3.7.6] 3.9.16
- Ansible Server Python Version: [e.g. Python 3.7.6] 3.9.16
- Additional Details:
Additional Notes
Anything additional goes here
Possible Solution
Use GRUB_CMDLINE_LINUX instead of GRUB_CMDLINE_LINUX_Default
@ssarkar9 : my checks are looking good as per CIS standard after hardening the instance using this repo. Can you please elaborate when you say your checks are failing? What settings are you referring to:
grubby --info=ALL | grep -Po '\baudit=1\b'
audit=1
grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b"
audit_backlog_limit=8192
systemctl is-enabled auditd
enabled
I assume AL2023 uses GRUB_CMDLINE_LINUX_DEFAULT and not GRUB_CMDLINE_LINUX. So I am not sure what we should modify in this repo.
hi @ssarkar9 and @ashfaqsharif
Just following up on this thread, could we have a little more clarity on what you are seeing, what you are expecting and what is failing so that we may follow this up.
Many thanks
uk-bolly
Please close. This is actually fine. I ran a STIG and then Ansible lockdown. I switched the order where lock down was run first and then STIG. STIG was causing issue. This can be closed