Re: Suppress messages from /var/log/audit.log via audit.rules

About the rule that’s 'killing' us (which I totally agree it is), this is what the stig.rules project says about it (GEN002720): 78 ## (GEN002720-GEN002840: CAT II) (Previously G100-G106) The SA will 79 ## configure the auditing system to audit the following events for all 80 ## users and root: 81 ## 82 ## - Logon (unsuccessful and successful) and logout (successful) 83 ## 84 ## Handled by pam, sshd, login, and gdm But here is what the latest version of the Unix checklist says the vulnerability is, and how to check if its mitigated: Unix Checklist v5r1-30 20110729 3.2.1.119 PDI: GEN002720 – Audit Failed File and Program Access Attempts PDI Description: The audit system is not configured to audit failed attempts to access files and programs. Reference: UNIX STIG: 3.16 - Linux

For LAUS: # grep “@open-ops” /etc/audit/filter.conf For auditd: # grep “-a exit,always –S open –F success=0” /etc/audit.rules

The two don’t seem to jibe as to what the vulnerability is. I’m not sure how login, sshd, etc, can give information about failed attempts to access files.

As to altering the rule, while I’m sure the results would be much more useful and relevant (you can tell DISA’s thinking is out-of-date by the mitigation steps above), my only concern is that it would no longer be STIG compliant, or something that would always come up as a finding, that we would have to explain each time.