Bug 1490792
| Summary: | OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails the check if secure 'sandbox' option is used on a RHEL7 system. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jayant Bhatia <jbhatia> | ||||
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | jbhatia, mhaicman, mpreisle, openscap-maint, oprazak | ||||
| Target Milestone: | pre-dev-freeze | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | scap-security-guide-0.1.35-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 12:21:26 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Could you please check whether you get the same result when you run oscap scanner with the same profile directly? This seems more like an issue of scap security guide, if that's the case, please move the BZ to the the SCAP project. The same results are being observed while directly running the oscap scanner. Thanks for reporting this issue! Upstream patch has been merged: https://github.com/OpenSCAP/scap-security-guide/pull/2162 Verified that fix is present in scap-security-guide-0.1.36-7.el7.noarch using SSG Test Suite. OLD (scap-security-guide-0.1.33-6.el7.noarch): [dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.33-6-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation [sudo] password for dahaic: Setting console output to log level INFO INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2250/test_suite.log libvirt: QEMU Driver error : Guest agent is not responding: QEMU guest agent is not connected INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK ERROR - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'. INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK ERROR - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'. INFO - All snapshots reverted successfully NEW (scap-security-guide-0.1.36-7.el7.noarch): [dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.36-7-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation [sudo] password for dahaic: Setting console output to log level INFO INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2256/test_suite.log INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK INFO - All snapshots reverted successfully Pull Request with updated test coverage: https://github.com/OpenSCAP/scap-security-guide/pull/2565 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0761 |
Created attachment 1324772 [details] Error Message Description of problem: As per below 'sshd_config' man page, 'sandbox' can be used as a secure option under 'UsePrivilegeSeparation' in '/etc/ssh/sshd_config' file: UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is “yes”. If UsePrivilegeSeparation is set to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions. When the 'UsePrivilegeSeparation' is set as 'sandbox', the openscap rule incorrectly fails with below error message. " Enable Use of Privilege Separation Description: When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation yes Rationale: SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. References: AC-6, 366, SRG-OS-000480-GPOS-00227, RHEL-07-040460, 3.1.12 " How reproducible: Steps to Reproduce: 1) Create a OpenScap compliance policy with 'SCAP content' as 'Red Hat rhel7 default content' and 'XCCDF Profile' as 'DISA STIG for Red Hat Enterprise Linux 7'. 2) Assign this policy to a RHEL-7 client host in which 'UsePrivilegeSeparation' is set as sandbox under '/etc/ssh/sshd_config' file. 3) Generate the OpenScap report for the RHEL-7 client. Actual results: The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails this check. Expected results: The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' should not fail this check.