Bug 1404381

Summary: remediation script for rule_rsyslog_files_permissions breaks rpm -V systemd
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Raphael Sanchez Prudencio <rasanche>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: mhaicman, mmarhefk, mpreisle, openscap-maint, rsprudencio
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.32-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:24:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2016-12-13 17:14:11 UTC 
Description of problem:
Remediation rule for rule_rsyslog_files_permissions alters /etc/rc.local. On RHEL7, this file is there for legacy reasons, provided by systemd, and is not configured to be altered, so any update is manifested in rpm -V systemd failing. 

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. run remediation script of rule_rsyslog_files_permissions rule
2. rpm -Va


Actual results:
Failure as /etc/rc.local is altered.

Expected results:
Success - only files which are allowed to be changed are changed.

Additional info:
Comment 2 Marek Haicman 2017-03-09 15:50:51 UTC 
Description has few typos/maybe is not clear enough, so short [hopefully correct :)] description of the problem [original in "See Also" ticket is ok]:

Remediation of rule_rsyslog_files_permissions updates file /etc/rc.d/rc.local and changes also changes file permissions. Because of this change, rule rpm_verify_permissions starts failing.
Comment 3 Raphael Sanchez Prudencio 2017-03-14 09:58:51 UTC 
Proposed PR at https://github.com/OpenSCAP/scap-security-guide/pull/1756
Comment 5 Marek Haicman 2017-04-24 17:53:29 UTC 
If I am not mistaken, PR linked in this bug actually introduced regression. /var/log/boot.log needs special handling in RHEL7, as it retains 644 after reboot, the same way it does on RHEL6. Only the workaround [using rc.local file] is not available on RHEL7.

Moving back to assigned.
Comment 7 Raphael Sanchez Prudencio 2017-05-10 09:14:43 UTC 
Looks like Plymouth was changed in 7.4 so it won't truncate/touch /var/log/boot.log anymore, maybe this helps us getting rid of the workaround that was removed as accident.
Comment 8 Raphael Sanchez Prudencio 2017-05-15 13:28:56 UTC 
Ray Strode fixed the issue on plymouth-0.8.9-0.28.20140113.el7.x86_64, it was enforcing mode 0644. 

The remediation should be enough now and work properly.
Comment 10 Matus Marhefka 2017-06-20 13:57:57 UTC 
VERIFIED manually for scap-security-guide-0.1.33-5.el7.noarch


OLD: scap-security-guide-0.1.30-3.el7.noarch
1. Evaluate rule_rpm_verify_permissions - PASS
2. Remediate failing rule_rsyslog_files_permissions - FIXED
3. Evaluate the rule_rpm_verify_permissions once again - FAILS


NEW: scap-security-guide-0.1.33-5.el7.noarch
1. Evaluate rule_rpm_verify_permissions - PASS
2. Remediate failing rule_rsyslog_files_permissions - FIXED
3. Evaluate the rule_rpm_verify_permissions once again - PASS
Comment 11 errata-xmlrpc 2017-08-01 12:24:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064