Bug 1576874
| Summary: | Satellite 6.3: Scap client scan for RHEL7 system installed with 'grub-efi' (System firmware UEFI) always shows results 'fails' for "/boot/grub2/grub.cfg" | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | vijsingh |
| Component: | SCAP Plugin | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.3.0 | CC: | jcerny, koen.diels, mhaicman, mhulan, mpreisle, openscap-maint, oprazak, wsato |
| Target Milestone: | Unspecified | Keywords: | Reopened |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-22 12:26:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This seems to me like what was reported in #1569425, so I will close as a duplicate. Feel free to reopen if I misunderstood. *** This bug has been marked as a duplicate of bug 1569425 *** It's not a duplicate, please reopen. Thank Koen, This Bug has reopened already and in 'Status:NEW' now. Thanks This is very likely a problem in content, so moving component to scap-security-guide. Can you provide which version of scap-security-guide is being used? Is remediation performed? If yes, what is the result? As of scap-security-guide-0.1.36-7, both non-EFI and EFI locations of grub.cfg are checked. Check of EFI location is done by extended definition in check "file_permissions_grub2_cfg". But remediation of EFI location is very likely not performed correctly, as fix for it is in "file_permissions_efi_grub2_cfg.sh", and rule ID is "file_permissions_grub2_cfg". A workaround is for CU to fix permission manually: $ chmod 700 /boot/efi/EFI/redhat/grub.cfg Can you try applying workaround and scanning again? Thanks. (In reply to Watson Yuuma Sato from comment #8) > This is very likely a problem in content, so moving component to > scap-security-guide. > > Can you provide which version of scap-security-guide is being used? > Is remediation performed? If yes, what is the result? scap-security-guide-0.1.36-7.el7.noarch Remediation of what? (In reply to Watson Yuuma Sato from comment #9) > As of scap-security-guide-0.1.36-7, both non-EFI and EFI locations of > grub.cfg are checked. > > Check of EFI location is done by extended definition in check > "file_permissions_grub2_cfg". > > But remediation of EFI location is very likely not performed correctly, as > fix for it is in "file_permissions_efi_grub2_cfg.sh", and rule ID is > "file_permissions_grub2_cfg". > > > A workaround is for CU to fix permission manually: > $ chmod 700 /boot/efi/EFI/redhat/grub.cfg > > Can you try applying workaround and scanning again? > > Thanks. That shell script is nowhere to be found. Changing the chmod to 700 still makes the test fail. I don't know if you can find a needle in this pile of code but I can't find file_permissions_grub2_cfg either. Just a lot of .xml files that give the same text as you would see in the rapport, but no hint on what is tested and how. If changing permissions of "/boot/efi/EFI/redhat/grub.cfg" to 700 didn't work we will need more info. Can you run the scan with option "--verbose DEVEL", and provide output? Title Verify /boot/grub2/grub.cfg Permissions
Rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Ident CCE-27054-6
I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:7': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:7' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_a_machine:def:1': Check if the scan target is a machine. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_env_is_a_machine:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-file_permissions_grub2_cfg:def:1': File grub.cfg Permissions. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Evaluating file test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1': Testing file permissions. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1054:oval_result_test_eval]
I: oscap: Querying file object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1', flags: 0. [oscap(31664):oscap(7ffad609c840):oval_probe.c:246:oval_probe_query_object]
I: oscap: Creating new syschar for file_object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1'. [oscap(31664):oscap(7ffad609c840):oval_probe.c:269:oval_probe_query_object]
D: oscap: Sending message. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:493:oval_probe_comm]
D: oscap: MSG -> SEXP [oscap(31664):oscap(7ffad609c840):seap-packet.c:261:SEAP_packet_msg2sexp]
D: oscap: ("seap.msg" ":id" 23 (("file_object" ":id" "oval:ssg-object_file_permissions_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/grub2/grub.cfg" ) ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:262:SEAP_packet_msg2sexp]
D: oscap: packet size: 1003 [oscap(31664):oscap(7ffad609c840):seap-packet.c:263:SEAP_packet_msg2sexp]
D: oscap: total I/O vectors = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:294:strbuf_write]
D: oscap: iot (1) < IOV_MAX (1024) [oscap(31664):oscap(7ffad609c840):strbuf.c:305:strbuf_write]
D: oscap: ioc = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:321:strbuf_write]
D: oscap: total bytes written: 208 [oscap(31664):oscap(7ffad609c840):strbuf.c:338:strbuf_write]D: probe_file:
return from selectD: oscap: [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:637:SEAP_packet_recv]
Waiting for reply. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:552:oval_probe_comm]
D: probe_file: Received packet [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:902:SEAP_packet_recv]
D: probe_file: ("seap.msg" ":id" 23 (("file_object" ":id" "oval:ssg-object_file_permissions_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/grub2/grub.cfg" ) ) ) [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:903:SEAP_packet_recv]
D: probe_file: packet size: 886 [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:904:SEAP_packet_recv]
D: probe_file: offline_mode=00000000 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:116:probe_input_handler]
D: probe_file: offline_mode_supported=00000001 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:117:probe_input_handler]
D: probe_file: handling SEAP message ID 23 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:53:probe_worker_runfn]
I: probe_file: Opening file '/boot/grub2/grub.cfg'. [probe_file(31772):probe_worker(7f3d419ca700):oval_fts.c:825:oval_fts_open]
D: probe_file: NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:404:probe_icache_nop]
D: probe_file: Signaling `notempty' [probe_file(31772):probe_worker(7f3d419ca700):icache.c:429:probe_icache_nop]
D: probe_file: Waiting for icache worker to handle the NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:439:probe_icache_nop]
I: probe_file: Extracting item from the cache queue: cnt=2, beg=37 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling cache request [probe_file(31772):icache_worker(7f3d431cd700):icache.c:248:probe_icache_worker]
D: probe_file: pair address: 139901095693728 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:253:probe_icache_worker]
D: probe_file: item address: 139900842186208 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:254:probe_icache_worker]
D: probe_file: item ID=7347347703611728081 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:256:probe_icache_worker]
I: probe_file: cache HIT #1 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:99:icache_lookup]
I: probe_file: cache HIT #2 -> real HIT [probe_file(31772):icache_worker(7f3d431cd700):icache.c:134:icache_lookup]
I: probe_file: Extracting item from the cache queue: cnt=1, beg=38 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling NOP [probe_file(31772):icache_worker(7f3d431cd700):icache.c:239:probe_icache_worker]
D: probe_file: Sync [probe_file(31772):probe_worker(7f3d419ca700):icache.c:447:probe_icache_nop]
D: probe_file: old flag: 0, new flag: 2. [probe_file(31772):probe_worker(7f3d419ca700):probe-api.c:689:probe_cobj_set_flag]
D: probe_file: handler result = 0x7f3d3400a8f0, return code = 0 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:58:probe_worker_runfn]
D: probe_file: probe thread deleted [probe_file(31772):probe_worker(7f3d419ca700):worker.c:77:probe_worker_runfn]
D: probe_file: Sorting blocks & building iterator array [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_file: Iterator count = 1 [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_file: cnt = 0 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_file: no-reply not set: sending full reply [probe_file(31772):probe_worker(7f3d419ca700):seap.c:480:SEAP_reply]
D: probe_file: MSG -> SEXP [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_file: ("seap.msg" ":id" 23 ":reply-id" 23 (2 () ((("file_item" ":id" "1317725" ) ("filepath" "/boot/grub2/grub.cfg" ) ("path" "/boot/grub2" ) ("filename" "grub.cfg" ) ("type" "regular" ) ("group_id" 0 ) ("user_id" 0 ) ("a_time" 1526641188 ) ("c_time" 1523887666 ) ("m_time" 1523887666 ) ("size" 6511 ) ("suid" #F ) ("sgid" #F ) ("sticky" #F ) ("uread" #T ) ("uwrite" #T ) ("uexec" #F ) ("gread" #T ) ("gwrite" #F ) ("gexec" #F ) ("oread" #T ) ("owrite" #F ) ("oexec" #F ) ("has_extended_acl" #F ) ) ) () ) ) [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_file: packet size: 3595 [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_file: total I/O vectors = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:294:strbuf_write]
D: probe_file: iot (1) < IOV_MAX (1024) [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:305:strbuf_write]
D: probe_file: ioc = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:321:strbuf_write]
D: probe_file: total bytes written: 504 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:338:strbuf_write]
D: oscap: D: probe_file: name=reply-id, value=0x7f3d34005d60 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:76:SEAP_msg_free]return from select
[oscap(31664):oscap(7ffad609c840):seap-packet.c:637:SEAP_packet_recv]
D: oscap: Received packet [oscap(31664):oscap(7ffad609c840):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 23 ":reply-id" 23 (2 () ((("file_item" ":id" "1317725" ) ("filepath" "/boot/grub2/grub.cfg" ) ("path" "/boot/grub2" ) ("filename" "grub.cfg" ) ("type" "regular" ) ("group_id" 0 ) ("user_id" 0 ) ("a_time" 1526641188 ) ("c_time" 1523887666 ) ("m_time" 1523887666 ) ("size" 6511 ) ("suid" #F ) ("sgid" #F ) ("sticky" #F ) ("uread" #T ) ("uwrite" #T ) ("uexec" #F ) ("gread" #T ) ("gwrite" #F ) ("gexec" #F ) ("oread" #T ) ("owrite" #F ) ("oexec" #F ) ("has_extended_acl" #F ) ) ) () ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:903:SEAP_packet_recv]
D: oscap: packet size: 3558 [oscap(31664):oscap(7ffad609c840):seap-packet.c:904:SEAP_packet_recv]
D: oscap: Message received. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:586:oval_probe_comm]
D: oscap: name=(null), value=0x55fe1ac9b990 [oscap(31664):oscap(7ffad609c840):seap-message.c:76:SEAP_msg_free]
I: oscap: Test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' requires that every object defined by 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' exists on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap: 1 objects defined by 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' exist on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap: All items matching object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' were collected. (flag=complete) [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:876:_oval_result_test_evaluate_items]
I: oscap: In test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:640:eval_check_state]
I: oscap: Entity 'uexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap: Entity 'gwrite'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap: Entity 'gexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap: Entity 'owrite'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap: Entity 'oexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap: Item '1317725' compared to state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1' with result false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:597:eval_item]
I: oscap: Test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap: Evaluating file test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1': /boot/efi/EFI/redhat/grub.cfg owned by root. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1054:oval_result_test_eval]
I: oscap: Querying file object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1', flags: 0. [oscap(31664):oscap(7ffad609c840):oval_probe.c:246:oval_probe_query_object]
I: oscap: Creating new syschar for file_object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1'. [oscap(31664):oscap(7ffad609c840):oval_probe.c:269:oval_probe_query_object]
D: oscap: Sending message. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:493:oval_probe_comm]
D: oscap: MSG -> SEXP [oscap(31664):oscap(7ffad609c840):seap-packet.c:261:SEAP_packet_msg2sexp]
D: oscap: ("seap.msg" ":id" 24 (("file_object" ":id" "oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/efi/EFI/redhat/grub.cfg" ) ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:262:SEAP_packet_msg2sexp]
D: oscap: packet size: 1016 [oscap(31664):oscap(7ffad609c840):seap-packet.c:263:SEAP_packet_msg2sexp]
D: oscap: total I/O vectors = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:294:strbuf_write]
D: oscap: iot (1) < IOV_MAX (1024) [oscap(31664):oscap(7ffad609c840):strbuf.c:305:strbuf_write]
D: oscap: ioc = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:321:strbuf_write]
D: oscap: total bytes written: 221 [oscap(31664):oscap(7ffad609c840):strbuf.c:338:strbuf_write]
D: oscap: Waiting for reply.D: probe_file: [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:552:oval_probe_comm]return from select
[probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:637:SEAP_packet_recv]
D: probe_file: Received packet [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:902:SEAP_packet_recv]
D: probe_file: ("seap.msg" ":id" 24 (("file_object" ":id" "oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/efi/EFI/redhat/grub.cfg" ) ) ) [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:903:SEAP_packet_recv]
D: probe_file: packet size: 899 [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:904:SEAP_packet_recv]
D: probe_file: offline_mode=00000000 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:116:probe_input_handler]
D: probe_file: offline_mode_supported=00000001 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:117:probe_input_handler]
D: probe_file: handling SEAP message ID 24 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:53:probe_worker_runfn]
D: probe_file: lstat() failed: errno: 2, 'No such file or directory'. [probe_file(31772):probe_worker(7f3d419ca700):oval_fts.c:819:oval_fts_open]
D: probe_file: NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:404:probe_icache_nop]
D: probe_file: Signaling `notempty' [probe_file(31772):probe_worker(7f3d419ca700):icache.c:429:probe_icache_nop]
D: probe_file: Waiting for icache worker to handle the NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:439:probe_icache_nop]
I: probe_file: Extracting item from the cache queue: cnt=1, beg=39 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling NOP [probe_file(31772):icache_worker(7f3d431cd700):icache.c:239:probe_icache_worker]
D: probe_file: Sync [probe_file(31772):probe_worker(7f3d419ca700):icache.c:447:probe_icache_nop]
D: probe_file: old flag: 0, new flag: 4. [probe_file(31772):probe_worker(7f3d419ca700):probe-api.c:689:probe_cobj_set_flag]
D: probe_file: handler result = 0x7f3d34007dd0, return code = 0 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:58:probe_worker_runfn]
D: probe_file: probe thread deleted [probe_file(31772):probe_worker(7f3d419ca700):worker.c:77:probe_worker_runfn]
D: probe_file: Sorting blocks & building iterator array [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_file: Iterator count = 0 [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_file: cnt = 0 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_file: no-reply not set: sending full reply [probe_file(31772):probe_worker(7f3d419ca700):seap.c:480:SEAP_reply]
D: probe_file: MSG -> SEXP [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_file: ("seap.msg" ":id" 24 ":reply-id" 24 (4 () () () ) ) [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_file: packet size: 525 [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_file: total I/O vectors = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:294:strbuf_write]
D: probe_file: iot (1) < IOV_MAX (1024) [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:305:strbuf_write]
D: probe_file: ioc = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:321:strbuf_write]
D: probe_file: total bytes written: 53 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:338:strbuf_write]
D: probe_file: name=reply-id, value=0x7f3d3400ab70 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:76:SEAP_msg_free]
D: oscap: return from select [oscap(31664):oscap(7ffad609c840):seap-packet.c:637:SEAP_packet_recv]
D: oscap: Received packet [oscap(31664):oscap(7ffad609c840):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 24 ":reply-id" 24 (4 () () () ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:903:SEAP_packet_recv]
D: oscap: packet size: 464 [oscap(31664):oscap(7ffad609c840):seap-packet.c:904:SEAP_packet_recv]
D: oscap: Message received. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:586:oval_probe_comm]
D: oscap: name=(null), value=0x55fe1ac9c420 [oscap(31664):oscap(7ffad609c840):seap-message.c:76:SEAP_msg_free]
I: oscap: Test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1' requires that every object defined by 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' exists on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap: 0 objects defined by 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' exist on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap: No item matching object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' was found on the system. (flag=does not exist) [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:867:_oval_result_test_evaluate_items]
I: oscap: Test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap: Definition 'oval:ssg-file_permissions_grub2_cfg:def:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_bootloader_password'. [oscap(31664):oscap(7ffad609c840):xccdf_policy.c:1111:xccdf_policy_item_evaluate]
Result fail
Thank you for the output, Koen Diels. Two questions, It looks like file "/boot/grub2/grub.cfg exists, and has permissions 644, while it should be 600. However, in description it is stated that this file doesn't exist, is this the file created while testing and debugging? Also, I can see that while checking for file "/boot/efi/EFI/redhat/grub.cfg", the log states that it is owned by root and it could not be found. Please make sure that you are running the scan as root user. Looking into it with more attention, "/boot/grub2/grub.cfg" is owned by root and oscap can access it. So access to "/boot/efi/EFI/redhat/grub.cfg" should not be a problem. Can you confirm that "/boot/efi/EFI/redhat/grub.cfg" exists? If it really exists, we have a bug regarding access to this file. (In reply to Watson Yuuma Sato from comment #17) > Looking into it with more attention, "/boot/grub2/grub.cfg" is owned by root > and oscap can access it. > > So access to "/boot/efi/EFI/redhat/grub.cfg" should not be a problem. > Can you confirm that "/boot/efi/EFI/redhat/grub.cfg" exists? > > If it really exists, we have a bug regarding access to this file. If create the file manually and provide '600' permission to it it's showing the result "Pass" however on 'grub-efi system this file does not exists by default. Also by default the permission on "/boot/efi/EFI/redhat/grub.cfg" is "700" . When check the client system report it always shows below in Description for rule ID "xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" ~~~~~~~~~~~~~~~~~ File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command: $ sudo chmod 600 /boot/grub2/grub.cfg ~~~~~~~~~~~~~~~~~ As it's 'grub-efi system so should not ask for permission change on "/boot/grub2/grub.cfg" ... Did actually anyone use this profiles before releasing them? I'm now trying to remediate the password requirements and although I followed the remediation guide the check keeps failing with no apparent reason. (In reply to Koen Diels from comment #19) > Did actually anyone use this profiles before releasing them? I'm now trying > to remediate the password requirements and although I followed the > remediation guide the check keeps failing with no apparent reason. using the script from generate fix works. So the only check that I have to get around now tot get all green is the grub.cfg permissions one. Hello, I have checked the provided logs, and run tests and I don't understand how rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg is failing. I have checked the definitions, and it looks into both locations, "/boot/grub2/grub.cfg" and "/boot/efi/EFI/redhat/grub.cfg", if any of them exists and has the correct permissions, it will pass. For the former, permission 600 is required, and for the latter, 700 is enough. Another alternative is to tailor, or edit the datastream, and swap rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg for xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg, which will check only the EFI location. Note: I have noticed that there is a typo in prose of Rule file_permissions_efi_grub2_cfg, it will mention permission 600 but it actually checks for permission 700 or stronger. 700 doesn't work either. And we are in a mixed BIOS/UEFI environment so just dropping BIOS test is not a good work around. Hello Koen, If profile is to scan both BIOS and UEFI systems rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg should be the appropriate for your, as it can handle config file for both systems. But I still cannot reproduce your issue. Can you provide scan with verbose DEVEL for both systems (BIOS and UEFI)? And also SOS report for both systems? Thank you. Hello Watson Yuuma Sato , SOS report has been upload over the case, Could you please check the same. Thank you for the information provided, they were really helpful. From verbose output content used looks old, from previous version of scap-security-guide. I see that on BIOS system, permission for "/boot/grub2/grub.cfg" is 644, when it should be 600 for the rule to pass. On the UEFI system, "/boot/efi/EFI/redhat/grub.cfg" file exists, and has correct permissions, 700. But as content used for scan is old, the rule requires permission 600, thus failing the rule. Please, fix the permission for file "/boot/grub2/grub.cfg" in BIOS systems. Clean any cached openscap content, as suggested by Vijay. And scan again. So how do I get my freshly installed Satellite 6.3 to use a recent openscap security guide? Because this one is just the one RedHat provided... Steps for updating the scap content: 1) update scap-security-guide package 2) upload new scap content into Sat6 from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 3) Create a completely new policy and apply it to a host using the uploaded scap content. 4) run puppet on client, it will make changes in /etc/foreman_scap_client/config.yaml. It will add a new policy entry and the :content_path: /var/lib/openscap/content/$digest.xml should have a different $digest when comparing the old and new policy. 5) try generating new report 6) delete the old policy and scap content if the new ones work as expected Is there a reason why the default policies of Satellite aren't aligned with the system package? And now one test issue is solved and the next is introduced (a check that worked fine with the previous policy) Enable SSH Server firewalld Firewall exception fails for absolutely no reason. https://github.com/OpenSCAP/scap-security-guide/issues/2586 The scap security guide and Satellite are not connected at all. We tell users they can use policies from ssg if they fit their needs, but they could use any other, such as their own or 3rd party ones. It's up to user to keep policies up to date. For reporting issues on ssg, please use RHEL product in Bugzilla, ssg is not part of Satellite. Hello Koen, > Enable SSH Server firewalld Firewall exception fails for absolutely no reason. > https://github.com/OpenSCAP/scap-security-guide/issues/2586 Rule "set_firewalld_default_zone" will set default zone to be drop, so any network interface not explicitly assigned to a zone will have all its packages dropped, see https://bugzilla.redhat.com/show_bug.cgi?id=1478414 for more info. To avoid that, Rule "firewalld_sshd_port_enabled" was added to profiles that set default zone of firewalld to drop. Unfortunately, generic and reliable fix for rule "firewalld_sshd_port_enabled" is tricky to write. Actually, the fix is as easy as assigning a network interface to a firewalld zone: # firewall-cmd --zone=FIREWALLD_SSHD_ZONE --add-interface=NETWORK_INTERFACE # firewall-cmd --reload But hard part is to determine appropriate values for FIREWALLD_SSHD_ZONE and FIREWALLD_SSHD_ZONE, as configuration can vary from system to system. FIREWALLD_SSHD_ZONE is the firewalld zone in wich ssh service is allowed, NETWORK_INTERFACE is the interface from ssh connections shall be received. |
Description of problem: Openscap client scan using "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)" profile policy for RHEL7 system 'grub-efi'(installed with firmware UEFI) shows results fails for "/boot/grub2/grub.cfg" (Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg). Version-Release number of selected component (if applicable): Satellite 6.3.1 openscap-1.2.14-2.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install a RHEL7 system using firmware UEFI with 'grub2-efi': - Configure system as puppet agent. - Apply classes 'foreman_scap_client','foreman_scap_client::params' to preconfigure system ready as scap client. 2. On Satellite create policy as below: Hosts => Policy => 'New Compliance Policy' => Give Name i.e. "Test UEFI"(or any other name) => Now select 'SCAP Content = Red Hat rhel7 default content' and 'XCCDF Profile = Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' => Set 'schedule/Location/Organizations' as per system. 3. Assign the 'Test UEFI' to RHEL7 system: Hosts => Check mark on host RHEL7 host => Select action => 'Assign Compliance Policy' to 'Test UEFI' 4. On client system: # puppet agent -t <== to apply the changes # /usr/bin/foreman_scap_client < policy_id > <== to scan system manually 5. Check system RHEL7 report at below path: Hosts => Policy => "Test UEFI" => Check "Verify /boot/grub2/grub.cfg Permissions" result Actual results: Status always shows as fail because scan check for '/boot/grub2/grub.cfg should be set to 600' however 'grub-efi'(UEFI) installed system does not contain the file at this path Expected results: If system is 'grub-efi'(UEFI) installed system either it should be skip(notapplicable) or check for '/boot/efi/EFI/redhat/grub.cfg' file. Additional info: Rule ID: 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' check the same.