Bug 1691912

Summary: openscap doesn't properly recognize kernel module loading and unloading remediations
Product: Red Hat Enterprise Linux 7 Reporter: Ryan Mullett <rmullett>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.6CC: ggasparb, mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-25 12:26:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Mullett 2019-03-22 19:35:58 UTC 
Description of problem:
The following three remediations show fail, even though the proper rules appear to be in place.
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete

Version-Release number of selected component (if applicable):
openscap-1.2.17-2.el7.x86_64
scap-security-guide-0.1.40-12.el7.noarch
openscap-scanner-1.2.17-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Remediate/scan a system using oscap with DISA STIG

Actual results:
System shows fail on the following 3 in rules
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
- Ensure auditd Collects Information on Kernel Module Loading and Unloading - init_module
- Ensure auditd Collects Information on Kernel Module Loading and Unloading - delete_module

Expected results:
System will properly recognize that the rules have been implemented

Additional info:
Attempted automatic remediation with --remediate, as well as taking the recommended remediation from the report.html generated and running that from a bash script, neither one results in the checks properly passing, though the proper remediations do appear to be in place
Comment 2 Watson Yuuma Sato 2019-03-25 12:26:44 UTC 
Hello Ryan,

I believe this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1658136.
There were fixes to the recommended remediation in rule description and also to bash scripts.

Problem was that audit rules for two other syscalls are also expected to be in place: finit_module and create_module.

A work around for this is to add manually the audit rules as follows: 
-a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules
-a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules

*** This bug has been marked as a duplicate of bug 1658136 ***
Comment 3 Watson Yuuma Sato 2019-03-25 13:23:23 UTC 
Also, please note that 64 bit systems need to have the audit rule for both, 32 bits,and 64 bits.