Bug 1465686

Summary: multiple ssg rules missing / failing remediations
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: dchaudha, mhaicman, openscap-maint, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 10:55:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2017-06-27 23:53:22 UTC 
Description of problem:
Multiple rules shipped in SSG have either missing remediations, or remediations that fails when applied on freshly installed system. These rules are (to help with development, it's grouped by example of profile where these are enabled):

(STIG profile)
xccdf_org.ssgproject.content_rule_ntp_set_maxpoll (missing)
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing)
xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing)
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing)
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing)

(PCI-DSS profile)
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing)

(OSPP profile)
xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)
xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing)
xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing)
xccdf_org.ssgproject.content_rule_aide_scan_notification (failing)

(C2S profile)
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing)
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing)
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing)


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.33-5.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. install fresh RHEL7.4 machine
2. perform profile based remediations for aforementioned profiles



Actual results:
2. rules listed  in description are still failing after remediation

Expected results:
2. rules listed in description are passing after remediation

Additional info:
Comment 1 Martin Preisler 2017-08-01 18:04:52 UTC 
Upstream patch related to this: https://github.com/OpenSCAP/scap-security-guide/pull/2171
Please note that this patch is not fixing everything in this BZ.
Comment 2 Watson Yuuma Sato 2017-11-16 14:04:46 UTC 
Some more fixes:

For Rule xccdf_org.ssgproject.content_rule_ntp_set_maxpoll, which I believe actually is xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll:
https://github.com/OpenSCAP/scap-security-guide/pull/2429
https://github.com/OpenSCAP/scap-security-guide/pull/2432

For Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing):
https://github.com/OpenSCAP/scap-security-guide/pull/2176
Comment 3 Watson Yuuma Sato 2018-07-18 13:12:53 UTC 
These rules were fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1570802

(STIG profile)
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing)

(PCI-DSS profile)
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing)

(OSPP profile)
xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing)
xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing)
xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing)

xccdf_org.ssgproject.content_rule_aide_scan_notification (failing) was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1540505


Rules for which I did not patches, so I assume they still are failing or missing fixes:

(C2S profile)
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing)
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing)
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing)

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing)
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing)

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)
Comment 4 Watson Yuuma Sato 2018-11-26 16:01:48 UTC 
In RHEL7.6,

the following rules is still failing:
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (fail)

This rule returns error:
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (error)
"The mount point '/dev/shm' is not even in /etc/fstab, so we can't set up mount options
Not remediating, because there is no record of /dev/shm in /etc/fstab"

The following rules are passing:
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route

This rule was removed:
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions 

And this rules started to fail/error:

C2S profile
xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries (fail)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error)
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (error)
xccdf_org.ssgproject.content_rule_audit_rules_login_events (error)

OSPP profile
xccdf_org.ssgproject.content_rule_package_dracut-fips_installed (fail)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (error)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (error)
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (error)
Comment 6 Watson Yuuma Sato 2019-05-07 11:59:21 UTC 
Changes to RHEL 7.7

This rule reports error, but then passes, in subsequent scan:
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error)

Following rule are passing now:
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fixed in C2S profile) 
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (fixed)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (fixed)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (fixed)


xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fails in OSPP profile, due to installation of screen package)
(audit_rules_privileged_commands is remedied, screen is installed, and becuase screen is a privileged command, final result of rule audit_rules_privileged_commands is fail)

Other rules not mentioned here are still failing.