Checking the auditctl level in RHEL_7
I have been following the STIG ID: RHEL-07-030010 and attempting to see if the value of "-f" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. When I run:
# sudo auditctl -l | grep /-f
Head output from audit.rules file shows -f 2.
## This file is automatically generated from /etc/audit/rules.d
-D
-b 16384
-f 2
-a exit,never -F dir=/home -k exclude
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=PATH
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/libexec/gvfs-udisks2-volume-monitor -F subj_type=initrc_t -F exit=-2
-w /etc/rsyslog.conf
-w /etc/rsyslog.d/
Just trying to confirm that the command provided to check the STIG might be wrong?
Responses
Guru
2484 points
Hi Laszlo,
That search string does not work for me either. You can use this instead.
auditctl -l | grep -e -f
The auditctl list doesn't return a good string to grep, but greping the rules file directly yields -f. I think this is one of those times where the STIG check content doesn't really line up. I called auditctl directly to verify that panic mode was being instated.
auditctl -f[2]
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.