Skip to content

Update rules related to /var/log/audit #14286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 4 commits into from
Jan 13, 2026
Merged

Update rules related to /var/log/audit #14286

Mab879 merged 4 commits into from
Jan 13, 2026
+534 −504

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jan 9, 2026

Fix rules fix_permissions_var_log_audit and directory_permissions_var_log_audit.

This rule description wasn't aligned with OVAL and remediations. There
were product specific conditions that aren't justified. In this commit
the code has been consolidated so that it works the same on all
platforms. Inconsistencies have been removed and clarified. Ansible
remediation has been simplified and aligned with the Bash remediation.
Finally, test scenarios have been reworked.

Resolves: https://issues.redhat.com/browse/RHEL-138549

@jan-cerny
Update rule directory_permissions_var_log_audit
eacac80 
This rule description wasn't aligned with OVAL and remediations. There
were product specific conditions that aren't justified. In this commit
the code has been consolidated so that it works the same on all
platforms. Inconsistencies have been removed and clarified. Special OVAL
for SLES 15 has been merged into the generic OVAL. Ansible remediation
has been simplified and aligned with the Bash remediation. Finally, all
test scenarios have been reworked.

Resolves: https://issues.redhat.com/browse/RHEL-138549
@jan-cerny jan-cerny added this to the 0.1.80 milestone Jan 9, 2026
@jan-cerny jan-cerny added the bugfix Fixes to reported bugs. label Jan 9, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 9, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 9, 2026
@jan-cerny
Update rule file_permissions_var_log_audit
445b25f 
This rule description wasn't aligned with OVAL and remediations. There
were product specific conditions that aren't justified. In this commit
the code has been consolidated so that it works the same on all
platforms. Inconsistencies have been removed and clarified. Ansible
remediation has been simplified and aligned with the Bash remediation.
Finally, test scenarios have been reworked.

Resolves: https://issues.redhat.com/browse/RHEL-138549
@github-actions
Copy link

github-actions bot commented Jan 9, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 12, 2026

I have confirmed that this PR fixes the linked issue https://issues.redhat.com/browse/RHEL-138549 therefore I will mark this as ready for review.

@jan-cerny jan-cerny marked this pull request as ready for review January 12, 2026 14:57
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 12, 2026
@Mab879 Mab879 self-assigned this Jan 12, 2026
Mab879
Mab879 requested changes Jan 12, 2026
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh still lists all of the platforms?

linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
documentation_complete: true


title: 'System Audit Logs Must Have Mode 0640 or Less Permissive'
Copy link
Member

@Mab879 Mab879 Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is 640 or 600?

Copy link
Collaborator Author

@jan-cerny jan-cerny Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0640 or less permissive

0600 if the log_group is root
0640 if the log_group isn't root

I updated the rule description, it was confusing

@jan-cerny
Fix rules file/directory_permissions_var_log_audit
311b7ff 
Minor changes based on the PR review
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 13, 2026

I have updated the PR according to your feedback

@Mab879 Mab879 merged commit b27f618 into ComplianceAsCode:master Jan 13, 2026
140 of 142 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

bugfix Fixes to reported bugs.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879