Bug 1502831

Summary: [RFE] Separating the OVAL into runtime and persistent checks
Product: Red Hat Enterprise Linux 7 Reporter: Chinmay Paradkar <cparadka>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.4CC: cww, mhaicman, openscap-maint
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-26 18:25:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477664    

Description Chinmay Paradkar 2017-10-16 19:54:00 UTC 
Description of problem:

The OVAL evaluates runtime and persistent configurations together. The
OVAL content currently does not evaluate for default values in the
sysctl config files -- it probably should.

Version-Release number of selected component (if applicable):
openscap-1.2.14-2.el7.x86_64

Additional info:

When doing a openscap validation of Title "Enable Randomized Layout of Virtual Address Space" we are getting a fail but it should be a pass result.  

Using the C2S openscap profile for RedHat 7 Linux, we are expected a PASS, but instead are getting a FAIL result code from the OpenScap scan. 

Title:  Enable Randomized Layout of Virtual Address Space
ID: content_rule_sysctl_kernel_randomize_va_space
TYPE:  xccdf:Rule

Looking at the actual system:

[root host ~]# sysctl -a | grep -i -e randomize
kernel.randomize_va_space = 2
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens192.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root host ~]#

There is no entry in sysctl.conf that would override:
[root host ~]# grep -i -e randomize /etc/sysctl.conf
[root host ~]#

We would therefore expect a PASS.
Comment 3 Jan Černý 2017-10-17 07:47:16 UTC 
The rule "Enable Randomized Layout of Virtual Address Space" checks both runtime state and configuration. The rule requires both checks to pass.

The runtime check reads 'kernel.randomize_va_space' paramater from sysctl and requires it to have value of 2.

The configuration check requires that kernel.randomize_va_space is set to 2 in at least one of configuration files in these paths /etc/sysctl.conf, /etc/sysctl.d/*.conf, /run/sysctl.d/*.conf, /usr/lib/sysctl.d/*.conf

One problem that I see is that value 2 is default, so people don't have to specify this parameter in their config files. I think we shouldn't check if it is set to 2 in configuration file, but we should check if somebody haven't explicitely changed the value to 0 or 1. See https://access.redhat.com/solutions/44460.

As you correctly pointed out, in this rule we mix runtime check with configuration checks. The problem that I see is that some other rules check only persistent configuration. I find this very confusing. We should define what the rules are supposed to check and be consistent across all rules in benchmarks.
Comment 4 Watson Yuuma Sato 2018-03-26 18:25:27 UTC 
The reported problem is a duplicate of referenced bugzilla.

*** This bug has been marked as a duplicate of bug 1494606 ***