Bug 1599179
| Summary: | Inconsistent memcache_timeout, ssh_known_hosts_timeout wrt man sssd.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma |
| Component: | scap-security-guide | Assignee: | Gabriel Gaspar Becker <ggasparb> |
| Status: | CLOSED ERRATA | QA Contact: | Watson Yuuma Sato <wsato> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.5 | CC: | jcerny, matyc, mhaicman, openscap-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.43-10.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:04:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
amitkuma
2018-07-09 06:26:10 UTC
Granting devel ack because it's fixed by rebase to 0.1.43. Issues found during verification (package version: scap-security-guide-0.1.43-4.el7.noarch, RHEL version: RHEL-7.7-20190502.1): 1. OSPP profile selects the rule sssd_ssh_known_hosts_timeout and uses the default variable value (180 in this case). But fails in checking the configuration. ------------------------------------------>8------------------------------ $cat /etc/sssd/sssd.conf [nss] ssh_known_hosts_timeout = 1234 oscap xccdf eval --profile ospp --rule xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout --results /tmp/results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them. WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content Title Configure SSSD to Expire SSH Known Hosts Rule xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout Ident CCE-80366-8 E: oscap: Error occured when comparing a variable 'oval:ssg-var_sssd_ssh_known_hosts_timeout:var:1' value '180' with collected item entity = ' ' Result fail OpenSCAP Error: Conversion of the string " " to an integer (64 bits) failed: Invalid argument [oval_cmp.c:111] ----------------------------------------->8--------------------------------- The value is not being retrieved correctly from configuration file during OVAl check. The fix is similar to: https://github.com/ComplianceAsCode/content/commit/af819c18d6fab5468280455d2034b15877914dac#diff-92d3eba374b2aeaa33d38dc538007ef0 The regular expression for oval variable extraction needs to be updated to: ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*sssd_ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ Only ansible playbook remediation is available. Include bash remediation similar to sssd_memcache_timeout ----- 2. Variable used in OCIL is not being expanded correctly as seen in following logs: Rule: linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml $cat ssg-rhel7-ds.xml | grep -A 4 "sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf" $ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf If configured properly, output should be ssh_known_hosts_timeout = Is it the case that it does not exist or is not configured properly? </ns0:question_text> -- $ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf If configured properly, output should be ssh_known_hosts_timeout = Is it the case that it does not exist or is not configured properly? </ns0:question_text> Rule: linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml $cat ssg-rhel7-ds.xml | grep -A 4 "sudo grep memcache_timeout /etc/sssd/sssd.conf" $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? </ns0:question_text> </ns0:boolean_question> -- $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? </ns0:question_text> </ns0:boolean_question> Moving status back to ASSIGNED. Fixed upstream: https://github.com/ComplianceAsCode/content/pull/4352 Issue number 2 from comment7 is not considered by the latest fix (scap-security-guide-0.1.43-8.el7), the issue turned out to be an unrelated problem. New upstream issue was created: https://github.com/ComplianceAsCode/content/issues/4354 The Ansible remediation is using wrong variable to remediate. This patch fixes the problem with ansible remediation using wrong variable: https://github.com/ComplianceAsCode/content/pull/4365 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2198 |