Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Record Attempts to Alter Logon and Logout Events" issues on Ubuntu 22.04 #11902

Closed
marcofortina opened this issue Apr 26, 2024 · 5 comments · Fixed by #11905
Closed

"Record Attempts to Alter Logon and Logout Events" issues on Ubuntu 22.04 #11902

marcofortina opened this issue Apr 26, 2024 · 5 comments · Fixed by #11905
Labels
Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates.

Comments

@marcofortina
Copy link
Contributor

Description of problem:

2 rules using "CIS Ubuntu 22.04 Level 2 Server Benchmark" fails in the "Record Attempts to Alter Logon and Logout Events" section:

  • Record Attempts to Alter Logon and Logout Events - faillog (xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillog)
  • Record Attempts to Alter Logon and Logout Events - tallylog (xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog)

They look for /var/log/faillog and /var/log/tallylog files, but none of these were mentioned in the "CIS Ubuntu Linux 22.04 LTS Benchmark" guide (see 6.3.3.12 Ensure login and logout events are collected - Page 816):

Remediation:
Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension,
with the relevant rules to monitor login and logout events.
Example:
# printf "
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
" >> /etc/audit/rules.d/50-login.rules
Merge and load the rules into active configuration:
# augenrules --load

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Edit file /etc/audit/rules.d/50-login.rules to include:
    -w /var/log/lastlog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
  2. Execute augenrules --load
  3. Execute:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillog ssg-ubuntu2204-ds.xml

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog /root/scap-security-guide/build/ssg-ubuntu2204-ds.xml

Actual Results:

root@ubuntu:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillog /root/scap-security-guide/build/ssg-ubuntu2204-ds.xml
W: oscap: File ssg-ubuntu2204-cpe-oval.xml has already been registered in Source DataStream session: /root/scap-security-guide/build/ssg-ubuntu2204-ds.xml
Title   Record Attempts to Alter Logon and Logout Events - faillog
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillog
Result  fail

root@ubuntu:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog /root/scap-security-guide/build/ssg-ubuntu2204-ds.xml
W: oscap: File ssg-ubuntu2204-cpe-oval.xml has already been registered in Source DataStream session: /root/scap-security-guide/build/ssg-ubuntu2204-ds.xml
Title   Record Attempts to Alter Logon and Logout Events - tallylog
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog
Result  fail

Expected Results:

Result pass

On Ubuntu 22.04 pam_tally2 was replaced by pam_faillock and the CIS guide refer to pam_faillock.

Why "/var/log/faillog" is also checked but not mentioned in the CIS guide?

Who should be updated? The "CIS Ubuntu Linux 22.04
LTS Benchmark" guide or the "SCAP Security Guide" ?
@dodys
Copy link
Contributor

dodys commented Apr 26, 2024

we don't yet support CIS v2.0.0 as you can see here:
https://github.com/ComplianceAsCode/content/blob/master/products/ubuntu2204/profiles/cis_level2_server.profile

@dodys dodys added Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates. labels Apr 26, 2024
@dodys
Copy link
Contributor

dodys commented Apr 26, 2024

I believe that as a short solution, you could just send a PR removing audit_rules_login_events_tallylog from both cis_level2_server and cis_level2_workstation profiles, as well removing from audit_rules_login_events_tallylog rules.yml any mentions of ubuntu 22.04. That seems to be some leftover from 20.04 when the profile was first created

@marcofortina
Copy link
Contributor Author

we don't yet support CIS v2.0.0 as you can see here: https://github.com/ComplianceAsCode/content/blob/master/products/ubuntu2204/profiles/cis_level2_server.profile

Same issue is present also using CIS v1.0.0

4.1.3.12 Ensure login and logout events are collected - Page 492

@marcofortina
Copy link
Contributor Author

I believe that as a short solution, you could just send a PR removing audit_rules_login_events_tallylog from both cis_level2_server and cis_level2_workstation profiles, as well removing from audit_rules_login_events_tallylog rules.yml any mentions of ubuntu 22.04. That seems to be some leftover from 20.04 when the profile was first created

Changes for tallylog is ready. I need only to commit and create a PR.

What about /var/log/faillog ?

@dodys
Copy link
Contributor

dodys commented Apr 26, 2024

I believe that as a short solution, you could just send a PR removing audit_rules_login_events_tallylog from both cis_level2_server and cis_level2_workstation profiles, as well removing from audit_rules_login_events_tallylog rules.yml any mentions of ubuntu 22.04. That seems to be some leftover from 20.04 when the profile was first created

Changes for tallylog is ready. I need only to commit and create a PR.

What about /var/log/faillog ?

You should replace audit_rules_login_events_faillog with audit_rules_login_events_faillock

Just a reminder to move the ids from one rule.yml to the other.

marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11902
5d7f6db
@marcofortina marcofortina mentioned this issue Apr 26, 2024
Merged
marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11902
e7bb5f4
marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11902
0398374
dodys added a commit that referenced this issue Apr 29, 2024
@dodys
Merge pull request #11905 from marcofortina/Fix_11902
aa712f6 
Fix #11902 issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #11902 issue marcofortina/scap-security-guide
2 participants
@dodys @marcofortina