Bug 1643148

Summary: All SCAP rules not applied after upgrading to RHEL 7.6
Product: Red Hat CloudForms Management Engine Reporter: luke couzens <lcouzens>
Component: ApplianceAssignee: Nick Carboni <ncarboni>
Status: CLOSED ERRATA QA Contact: Satyajit Bulage <sbulage>
Severity: high Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: high    
Version: 5.9.5CC: abellott, jprause, mfeifer, ncarboni, obarenbo, sbulage, simaishi, yrudman
Target Milestone: GA   
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: upgrade:black
Fixed In Version: 5.10.0.24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-07 23:03:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Comment 5 Nick Carboni 2018-11-09 21:35:44 UTC 
It looks like the check might be flawed in this case.

The rule "Ensure auditd Collects Information on Kernel Module Loading and Unloading" seems to be satisfied even though the report shows it is not:

[root@localhost audit]# cat audit.rules  | grep module
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
[root@localhost audit]# cat rules.d/modules.rules 
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules

The rule "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)" is also satisfied despite the report:

[root@localhost audit]# cat audit.rules  | grep creat
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
[root@localhost audit]# cat rules.d/access.rules 
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

Also, as per https://github.com/ComplianceAsCode/content/pull/971 the RDS and TIPC modules are no longer included in the rhel7 kernel so I'll create a PR to remove those rules.
Comment 12 Nick Carboni 2018-12-19 15:13:55 UTC 
Satyajit,

I'm not sure what you're asking. I looked at the appliance you provided and the bugs look fixed on that appliance based on the output I posted.
I am aware that the report is incorrect, but that is irrelevant. Is there something that you think still requires fixing?

Nick
Comment 13 Satyajit Bulage 2019-01-14 16:39:33 UTC 
After enabling SCAP on appliance, I can see the files in the appliance, as per comment 10

Verified Version: 5.10.0.31.20190108221820_a0968c8
Comment 14 errata-xmlrpc 2019-02-07 23:03:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212