RHEL7: audit_rules_login_events_faillock

[dirtyharrycallahan]

Description of problem:

Test doesn't match the text.

SCAP Security Guide Version:

tip

Operating System Version:

RHEL

Steps to Reproduce:

1. add audit rule indicated in narrative -> -w /var/run/faillock/ -p wa -k logins
2. run eval and control is marked failed b/c the narrative includes a trailing "/"
   ^-w\s+/var/run/faillock\s+-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$

Actual Results:

audit_rules_login_events_faillock : fail

Expected Results:

audit_rules_login_events_faillock : pass

Addition Information/Debugging Steps:

[dominiquearpin]

I got the same problem with RHEL 7.5Beta. Anyone with a patch?

[shawndwells]

There is no audit_rules_login_events_faillock in shared/ or rhel7/checks/oval.

hallllpppp I'm going mental.

edit: here is what's in the dir tree:

$ grep -rin audit_rules_login_events_faillock
.git/logs/refs/heads/newospp:61:72b41aaa2948b4cfedd12a495cdce979b209fe99 5f183cee65722507cde29facdbaf3a846e34388e Shawn Wells <shawn@redhat.com> 1517591134 -0500	commit: adding ospp labels to audit_rules_login_events_faillock
.git/logs/HEAD:161:72b41aaa2948b4cfedd12a495cdce979b209fe99 5f183cee65722507cde29facdbaf3a846e34388e Shawn Wells <shawn@redhat.com> 1517591134 -0500	commit: adding ospp labels to audit_rules_login_events_faillock
shared/xccdf/system/auditing.xml:1900:<Rule id="audit_rules_login_events_faillock" severity="medium" prodtype="rhel7">
shared/xccdf/system/auditing.xml:1923:<oval id="audit_rules_login_events_faillock" />
shared/checks/oval/audit_rules_login_events.xml:13:      <extend_definition comment="audit faillock" definition_ref="audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:12:      <criterion comment="faillock" test_ref="test_audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:24:  <ind:textfilecontent54_test check="all" comment="faillock" id="test_audit_rules_login_events_faillock" version="1">
rhel6/checks/oval/audit_rules_login_events.xml:25:    <ind:object object_ref="object_audit_rules_login_events_faillock" />
rhel6/checks/oval/audit_rules_login_events.xml:27:  <ind:textfilecontent54_object id="object_audit_rules_login_events_faillock" version="1">
rhel7/overlays/stig_overlay.xml:553:  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030610" ruleid="audit_rules_login_events_faillock" severity="medium">
rhel7/profiles/ospp-rhel7.xml:201:<select idref="audit_rules_login_events_faillock" selected="true" />
rhel7/profiles/stig-rhel7-disa.xml:472:<select idref="audit_rules_login_events_faillock" selected="true" />

[redhatrises]

@shawndwells did you check shared/templates/csv/audit_rules_login_events.csv?

[shawndwells]

On 2/22/18 11:11 AM, redhatrises wrote: @shawndwells <https://github.com/shawndwells> did you check |shared/templates/csv/audit_rules_login_events.csv|?

Nope. But isn't that for audit_rules_login_events, not audit_rules_login_events_faillock?

[redhatrises]

@shawndwells it is for all audit_rules_login_events including faillock.

[dirtyharrycallahan]

I work only with Red Hat 7 server and the DISA Red Hat 7 STIG profile and while running my scans I noticed that there is a general inconsistency between the checks, the text, and the remedies (both bash and Ansible). Other examples are the Gnome settings in the dconf ini file. Some tests will accept spaces around the key=value and some will not. I will have to get my head around how all this content comes together and review the current STIG before I can submit some pull requests.