DISA STIG different than content for rule checks --eg privileged perm_mod

[bmagistro]

Description of problem:

When running the DISA STIG for audit rules, the STIG looks for -k perm_mod while the content here looks for -F key=privileged resulting in a number of rule failures. Screenshot and references below are for chacl but this affects more than just this check. Other checks the stig expects -k privileged-unix-update while the content here expects -F key=privileged. There may be additional rules affected but these are what popped when doing a scan after extracting the audit rules from the stig content. Not being an expert in audit rules, I'd venture a guess they both result in similar if not identical behavior, but this show as a very large failure when scanning systems for us. Need to defer to others on if an update should be pushed towards the vendor to allow the simpler syntax currently in the checks.

Several of these rules are also affected by #13075

This content is not aligned with content from https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/ .

The misalignment affects these profiles:

• content_profile_stig

The misalignment affects these rules, the stig expected value is in parenthesis:

• audit_rules_execution_chacl (-k perm_mod)
• audit_rules_execution_setfacl (-k perm_mod)
• audit_rules_execution_chcon (-k perm_mod)
• audit_rules_execution_semanage (-k privileged-unix-update)
• audit_rules_execution_setfiles (-k privileged-unix-update)
• audit_rules_execution_setsebool (-k privileged-unix-update)
• audit_rules_privileged_commands_init (-k privileged-init)
• audit_rules_privileged_commands_poweroff (-k privileged-poweroff)
• audit_rules_privileged_commands_reboot (-k privileged-reboot)
• audit_rules_privileged_commands_shutdown (-k privileged-shutdown)
• audit_rules_privileged_commands_chage (-k privileged-chage)
• audit_rules_privileged_commands_chsh (-k priv_cmd)
• audit_rules_privileged_commands_crontab (-k privileged-crontab)
• audit_rules_privileged_commands_gpasswd (-k privileged-gpasswd)
• audit_rules_privilieged_commands_mount (-k privileged-mount)
• audit_rules_privileged_commands_newgrp (-k priv_cmd)
• audit_rules_privilieged_commands_pam_timestamp_check (-k privileged-pam_timestamp_check)
• audit_rules_privileged_commands_passwd (-k privileged-passwd)
• audit_rules_privilieged_commands_postdrop (-k privileged-unix-update)
• audit_rules_privilieged_commands_postqueue (-k privileged-unix-update)
• audit_rules_privilieged_commands_ssh_agent (--k privileged-ssh)
• audit_rules_privileged_commands_ssh_keysign (-k privileged-ssh)
• audit_rules_privileged_commands_su (-k privileged-priv_change)
• audit_rules_privileged_commands_sudo (-k priv_cmd)
• audit_rules_privileged_commands_sudoedit (-k priv_cmd)
• audit_rules_privileged_commands_umount (-k privileged-mount)
• audit_rules_privileged_commands_unix_chkpwd (-k privileged-unix-update)
• audit_rules_privileged_commands_unix_update (-k privileged-unix-update)
• audit_rules_privilieged_commands_userhelper (-k privileged-unix-update)
• audit_rules_privileged_commands_usermod (-k privileged-usermod)

Outcome:

• [ X ] This project's content can be improved:
  • [ X ] Check needs to be improved.
  • Remediation needs to be improved.
• The external content's check is faulty - the other party needs to be notified, they have work to do.

Version Info:

cat /etc/redhat-release 
AlmaLinux release 9.4 (Seafoam Ocelot)


oscap --version
OpenSCAP command line tool (oscap) 1.3.10
Copyright 2009--2023 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
AlmaLinux 8 - cpe:/o:almalinux:almalinux:8
AlmaLinux 9 - cpe:/o:almalinux:almalinux:9
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe              
----------    ----------                   ----------                  
independent   environmentvariable          probe_environmentvariable
independent   environmentvariable58        probe_environmentvariable58
independent   family                       probe_family
independent   filehash58                   probe_filehash58 (SHA-224, SHA-256, SHA-384, SHA-512)
independent   system_info                  probe_system_info
independent   textfilecontent              probe_textfilecontent
independent   textfilecontent54            probe_textfilecontent54
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
independent   yamlfilecontent              probe_yamlfilecontent
linux         iflisteners                  probe_iflisteners
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         rpminfo                      probe_rpminfo
linux         rpmverify                    probe_rpmverify
linux         rpmverifyfile                probe_rpmverifyfile
linux         rpmverifypackage             probe_rpmverifypackage
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitdependency        probe_systemdunitdependency
linux         systemdunitproperty          probe_systemdunitproperty
linux         fwupdsecattr                 probe_fwupdsecattr
unix          dnscache                     probe_dnscache
unix          file                         probe_file
unix          fileextendedattribute        probe_fileextendedattribute
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          process58                    probe_process58
unix          routingtable                 probe_routingtable
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          symlink                      probe_symlink
unix          sysctl                       probe_sysctl
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd


dnf info scap-security-guide
Last metadata expiration check: 3:38:56 ago on Tue Feb 18 09:36:24 2025.
Installed Packages
Name         : scap-security-guide
Version      : 0.1.74
Release      : 1.el9_4.alma.1
Architecture : noarch
Size         : 38 M
Source       : scap-security-guide-0.1.74-1.el9_4.alma.1.src.rpm

External Content's Version:

https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_SCAP_1-3_Benchmark.zip