Bug 1673935

Summary: Rule xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership fails even though rsyslog log files have expected group
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-11 09:11:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2019-02-08 13:59:25 UTC 
Description of problem:

On RHEL7.6 systems, the xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership fule fails claiming that the group for the rsyslog log files (in /var/log) have not expected group.

On Red Hat systems, the group is supposed to be "root" (0) by default.

# oscap xccdf eval --fetch-remote-resources --report report.html --profile xccdf_org.ssgproject.content_profile_pci-dss --rule xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
Title   Ensure Log Files Are Owned By Appropriate Group
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Ident   CCE-80190-2
Result  fail


Version-Release number of selected component (if applicable):

scap-security-guide-0.1.40-12.el7.noarch


How reproducible:

Always


Steps to Reproduce:
1. Execute the rule on a RHEL 7.6 system

Actual results:

Result  fail


Expected results:

Result  pass


Additional info:

Changing the group to "adm" (4) fixes the issue:

# chgrp 4 $(perl -n -e 'm#^[^(\s|\#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$# && print "$1\n"' /etc/rsyslog.conf /etc/rsyslog.d/* )
# ls -l $(perl -n -e 'm#^[^(\s|\#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$# && print "$1\n"' /etc/rsyslog.conf /etc/rsyslog.d/* )
-rw-------. 2 root adm  14747 Feb  8 14:21 /var/log/boot.log
-rw-------. 1 root adm  16913 Feb  8 14:30 /var/log/cron
-rw-------. 1 root adm   2124 Feb  8 14:21 /var/log/maillog
-rw-------. 1 root adm 671797 Feb  8 14:36 /var/log/messages
-rw-------. 1 root adm  17487 Feb  8 14:25 /var/log/secure
-rw-------. 1 root adm      0 Jan 31 11:18 /var/log/spooler
# oscap xccdf eval --fetch-remote-resources --report report.html --profile xccdf_org.ssgproject.content_profile_pci-dss --rule xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
Title   Ensure Log Files Are Owned By Appropriate Group
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Ident   CCE-80190-2
Result  pass


Looking at the source code (shared/checks/oval/rsyslog_files_groupownership.xml), we can see that the "state_rsyslog_files_groupownership" state compares against Ubuntu/Debian and the rest of the world:

 95   <unix:file_state id="state_rsyslog_files_groupownership" version="1">
 96     <unix:type operation="equals">regular</unix:type>
 97     {{% if product in ["debian8", "ubuntu1404", "ubuntu1604"] %}}
 98     <unix:group_id datatype="int">0</unix:group_id>
 99     {{% else %}}
100     <unix:group_id datatype="int">4</unix:group_id>
101     {{% endif %}}
102   </unix:file_state>

I don't know how Ubuntu/Debian expects, probably the if/else/endif has to be inverted (RHEL expects "0", and Ubuntu/Debian probably "4").
Comment 2 Watson Yuuma Sato 2019-02-11 09:11:27 UTC 

*** This bug has been marked as a duplicate of bug 1657701 ***