Inspec for RHEL7 STIG.
The official STIGs auditd rules are not in the correct syntax or outdated in a few ways. Below is the list of the issues found and how to correct them.
- Rules with the
key
field missing the-F
parameter breaking the rule syntax- Fix: Prepend the invalid
key
rules with-F
- Fix: Prepend the invalid
- Rules where the field
subj
is defined is an invalid field name, the correctsubj
field names aresubj_user
,subj_role
,subj_typ
,subj_sen
,subj_clr
- Fix: Lines where
-F subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
is defined needed to be changed to-F subj_user=unconfined_u -F subj_role=unconfined_r -F subj_type=unconfined_t -F subj_sen=s0-s0 -F subj_clr=c0.c1023
. Splitting it out to the correct syntax
- Fix: Lines where
- Rules with the field and value
-F auid!=4294967295
can be set to the proper value of-F auid!=-1
- Info: Setting the value to
4294967295
was a workaround due to an issue in the kernel as described here. The setting can be safely set as-1
now
- Info: Setting the value to
The official STIG recommends RhostsRSAAuthentication to be set to yes
but this this appears to be erroneous as point out by @lihkin213. It's value should be set to no
. The control has been updated to address this.
Assuming you have Vagrant installed you can use the following to get a machine capable of running the STIGs.
$ git clone https://github.com/inspec-stigs/inspec-stig-rhel7.git
$ cd inspec-stig-rhel7
$ vagrant up