Bug 1463829

Summary: rule_mount_option_var_tmp_bind discrepancy between OVAL and remediation
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.40-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:46:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2017-06-21 20:26:16 UTC 
Description of problem:
Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind is currently defined in such way it cannot be remedied. OVAL checks runtime, and remediation deals solely with /etc/fstab.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.33-5.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. make two entries into /etc/fstab, separately for /tmp and /var/tmp
2. run remediation
3. check runtime and contents of /etc/fstab

Actual results:
fstab is updated to include binding mount of /tmp to /var/tmp. Runtime is still failing

Expected results:
Runtime is fixed together with fstab, by remounting

Additional info:
Comment 1 Watson Yuuma Sato 2018-07-31 16:15:07 UTC 
I believe this is addressed by this PR: https://github.com/OpenSCAP/scap-security-guide/pull/2696

The mount_option rules were templated and now the generated remediations (ansible and bash) can mount the partition.
Comment 3 Marek Haicman 2018-09-20 16:28:09 UTC 
Verified fix in version scap-security-guide-0.1.40-7.el7

[dahaic@dhcp-24-168 tests]$ sudo ./datastream_chaining.sh ./0.1.36-7b.rhel7.ds.xml ./0.1.40-7b.rhel7.ds.xml --libvirt qemu:///system rhel7.6 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_mount_option_var_tmp_bind
Tested with SSG Test Suite, on the commit
commit 87695e43ad73b1b9d008b8b5dc0ff8cce586c3ce
With command line arguments: --libvirt qemu:///system rhel7.6 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_mount_option_var_tmp_bind

DataStream used (md5) : 9f4e3926d2b2672f274b74043daf0650 ./0.1.36-7b.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-20-1707/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind
INFO - Script configured_and_mounted.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script just_configured.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'.
ERROR - Script just_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue:
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'.
ERROR - Script separated_and_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue:
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'.
ERROR - Script wrong_bind.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue:
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'.

DataStream used (md5) : 1acf68b67971a44aaed789c0c9ba4af2 ./0.1.40-7b.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-20-1708/test_suite.log
libvirt: QEMU Driver error : Guest agent is not responding: QEMU guest agent is not connected
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind
INFO - Script configured_and_mounted.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script just_configured.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script just_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script separated_and_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script wrong_bind.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK


Note: C2S profile does not select this rule, so test has been performed on updated DS where this rules has been selected.

[dahaic@dhcp-24-168 tests]$ diff 0.1.36-7{,b}.rhel7.ds.xml
52533a52534
>         <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" selected="true"/>
[dahaic@dhcp-24-168 tests]$ diff 0.1.40-7{,b}.rhel7.ds.xml
59676a59677
>         <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" selected="true"/>
Comment 5 errata-xmlrpc 2018-10-30 11:46:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308