Inspec for RHEL7 STIG.
The official STIGs auditd rules are not in the correct syntax or outdated in a few ways. Below is the list of the issues found and how to correct them.
- Rules with the
keyfield missing the-Fparameter breaking the rule syntax- Fix: Prepend the invalid
keyrules with-F
- Fix: Prepend the invalid
- Rules where the field
subjis defined is an invalid field name, the correctsubjfield names aresubj_user,subj_role,subj_typ,subj_sen,subj_clr- Fix: Lines where
-F subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023is defined needed to be changed to-F subj_user=unconfined_u -F subj_role=unconfined_r -F subj_type=unconfined_t -F subj_sen=s0-s0 -F subj_clr=c0.c1023. Splitting it out to the correct syntax
- Fix: Lines where
- Rules with the field and value
-F auid!=4294967295can be set to the proper value of-F auid!=-1- Info: Setting the value to
4294967295was a workaround due to an issue in the kernel as described here. The setting can be safely set as-1now
- Info: Setting the value to
The official STIG recommends RhostsRSAAuthentication to be set to yes but this this appears to be erroneous as point out by @lihkin213. It's value should be set to no. The control has been updated to address this.
Assuming you have Vagrant installed you can use the following to get a machine capable of running the STIGs.
$ git clone https://github.com/inspec-stigs/inspec-stig-rhel7.git
$ cd inspec-stig-rhel7
$ vagrant up