[Open-scap] Problem with auditd space_left_action fail result

Gerrit Binnenmars gerritbinnenmars at gmail.com
Wed Apr 26 07:20:48 UTC 2017 

Hello,

I use  U_RedHat_6_V1R13_STIG_SCAP_1-1_Benchmark-xccdf.xml and the auditd
space_left_action only passes when the action is EMAIL. But the comments
suggest that also SYSLOG shall be accepted.

The verbose DEVEL option shows:
I: oscap: Received packet
[oscap(21530):oscap(7f2ee5f347c0):seap-packet.c:903:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 0 ":reply-id" 0 (2 () ((("textfilecontent_item"
":id" "1215571" ) ("filepath" "/etc/audit/auditd.conf" ) ("path"
"/etc/audit" ) ("filename" "auditd.conf" ) ("pattern" "^[
]*space_left_action[ ]+=[ ]+(\S+)[ ]*$" ) ("instance" 1 ) ("line" "^[
]*space_left_action[ ]+=[ ]+(\S+)[ ]*$" ) ("text" "space_left_action =
SYSLOG " ) ("subexpression" "SYSLOG" ) ) ) () ) )
[oscap(21530):oscap(7f2ee5f347c0):seap-packet.c:904:SEAP_packet_recv]
I: oscap: packet size: 1934
[oscap(21530):oscap(7f2ee5f347c0):seap-packet.c:905:SEAP_packet_recv]
I: oscap: Message received.
[oscap(21530):oscap(7f2ee5f347c0):oval_probe_ext.c:586:oval_probe_comm]
D: oscap: name=(null), value=0x7f2ee867f790
[oscap(21530):oscap(7f2ee5f347c0):seap-message.c:76:SEAP_msg_free]
D: oscap: Syschar entry type: 7007 'textfilecontent' => decoded OK
[oscap(21530):oscap(7f2ee5f347c0):oval_sexp.c:952:oval_sexp_to_sysitem]
I: oscap: State 'oval:mil.disa.fso.redhat.rhel6:ste:1818' references
external_variable 'oval:mil.disa.fso.redhat.rhel6:var:2135'.
[oscap(21530):oscap(7f2ee5f347c0):oval_probe.c:398:oval_probe_query_criteria]
I: oscap:       oval:mil.disa.fso.redhat.rhel6:tst:866 => false
[oscap(21530):oscap(7f2ee5f347c0):oval_resultTest.c:994:oval_result_test_eval]


but in the XML there is:
 <Value id="var_auditd_space_left_action" type="string" operator="equals">

    <title>Action for auditd to take when disk space just starts to run
low</title>

    <description>The setting for space_left_action in
/etc/audit/auditd.conf</description>

    <value>email</value>

    <value selector="email">email</value>

    <value selector="syslog">syslog</value>

  </Value>

Is this a bug or is the syslog selected not valid?

With kind regards,

Gerrit Binennmars
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20170426/c5706730/attachment.htm>

More information about the Open-scap-list mailing list