From 4c0470b91583d75c0a364612b9511aa04d67a2c0 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 11 Sep 2020 12:56:27 +0200

Subject: [PATCH 1/2] use xccdf variable in the rule.yml

---

 .../auditd_audispd_network_failure_action/rule.yml    | 11 ++++-------

 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

index 9703bba724..01b16a4dd2 100644

--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

@@ -14,6 +14,7 @@ description: |-

     <tt>halt</tt>. For certain systems, the need for availability

     outweighs the need to log all actions, and a different setting should be

     determined.

+    This profile configures the action to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.

 rationale: |-

     Taking appropriate action when there is an error sending audit records to a

@@ -35,11 +36,7 @@ ocil_clause: 'the system is not configured to switch to single user mode for cor

 ocil: |-

     Inspect <tt>/etc/audisp/audisp-remote.conf</tt> and locate the following line to

-    determine if the system is configured to either send to syslog, switch to single user mode,

-    or halt when there is a network failure with audispd:

+    determine if the system is configured to perform a correct action according to the policy:

     
grep -i network_failure_action /etc/audisp/audisp-remote.conf

-    The output should return something similar to:

-    
network_failure_action = single

-    Acceptable values also include <tt>syslog</tt> and

-    <tt>halt</tt>.

-

+    The output should return:

+    
network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}

From 2d7c59fe90d8dad86c6e6743f137a5d1ba580257 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 22 Sep 2020 08:45:57 +0200

Subject: [PATCH 2/2] change jinja macro used

---

 .../auditd_audispd_network_failure_action/rule.yml            | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

index 01b16a4dd2..9e677d225c 100644

--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml

@@ -14,7 +14,7 @@ description: |-

     <tt>halt</tt>. For certain systems, the need for availability

     outweighs the need to log all actions, and a different setting should be

     determined.

-    This profile configures the action to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.

+    This profile configures the action to be <tt>{{{ xccdf_value("var_audispd_network_failure_action") }}}</tt>.

 rationale: |-

     Taking appropriate action when there is an error sending audit records to a

@@ -39,4 +39,4 @@ ocil: |-

     determine if the system is configured to perform a correct action according to the policy:

     
grep -i network_failure_action /etc/audisp/audisp-remote.conf

     The output should return:

-    
network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}

+    
network_failure_action = {{{ xccdf_value("var_audispd_network_failure_action") }}}