RE: Suppress messages from /var/log/audit.log via audit.rules

Thought you might like to know that I contacted DISA on this error and got a response: Michael, Thank you for bringing this issue to our attention it will be corrected in the final version of the STIG: Action Description: GEN000460 :: INCORRECT AUDIT.RULES FINDING IN SRR SCRIPT FOR LINUX. ISSUE FOUND IN DRAFT RHEL 5 AS WELL, SEE ATTACHED EMAIL AR Number: CSD-AR003085626 Assigned Group: CH-STIG-UNIX Assigned Priority: 4 Assigned Technician: ADAMS, GARY First Name: MICHAEL Last Name: WORSHAM Last Update User: ADAMSG Organization: ND REGIONAL SUPPLY OFFICE COM/PRIVATE INDUSTRY Element Id: FS-STIG : STIG Service 1: COMPUTING Service 2: FSO Service 3: UNIX Status or Resolution Summary: 11/7 - DEFER TO CORRECT IN RHEL5 STIG. Status: DEFERRED Zulu Date Time Out: 11/3/2011 18:05:53 Zulu Last Update Time: 11/7/2011 17:44:43 Gary Adams CISSP, Security+ DISA FSO HP Enterprise Services COMM: 703-742-2929 -- Michael -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Thursday, November 03, 2011 1:33 PM To: Worsham, Michael Cc: linux-audit(a)redhat.com Subject: Re: Suppress messages from /var/log/audit.log via audit.rules On Thursday, November 03, 2011 01:06:52 PM Worsham, Michael wrote: Yes, its in draft which means there are no STIGs for RHEL5 or 6. However, I have met with them and there is an agreement that the stig file is correct until new requirements are levied. Which is slightly better, but still wrong. It would, which is a good reason its still a draft. This also doesn't cover the openat syscall which glibc uses. The NSA publishes a SNAC guide for RHEL5. You can find the latest at this location: http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf If you look in section 2.6.2.4.8, you will see the correct audit rule listed as CCE 14917-9. This is what the RHEL5 STIG should map to in its XCCDF. -Steve CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments. EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.