Bug 1750526
| Summary: | open scap remediation script: ssg-rhel8-role-ospp.sh placing duplicate entries into /etc/selinux/config file. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | mkielian <mkielian> |
| Component: | scap-security-guide | Assignee: | Gabriel Gaspar Becker <ggasparb> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | ggasparb, matyc, mhaicman |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.50-5.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:29:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've identified the root cause of the issue and reported upstream: https://github.com/ComplianceAsCode/content/issues/4838 The bash remediation is not able to detect correctly when a keyword is already present in the configuration file (/etc/sysconfig/linux) Fixed upstream: https://github.com/ComplianceAsCode/content/pull/5785 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4626 |
Description of problem: Open Scap Security Guide Remediation script [ /usr/share/scap-security-guide/bash/ssg-rhel8-role-ospp.sh ]for RHEL8 duplicates entries in the SELINUX configuration file:[ /etc/sexlinux/config ] Note: ( RHEL 8 Remediation script files) ssg-rhel8-role-default.sh - Is NOT affected ssg-rhel8-role-ospp.sh - Is affected ssg-rhel8-role-pci-dss.sh - Is NOT affected Version-Release number of selected component (if applicable): scap-security-guide-0.1.42-11.el8.noarch How reproducible: Easily Reproducible Steps to Reproduce: 1. Install SCAP security Guide. # yum install scap-security-guide 2. Run the scap re-mediation script # chmod +x /usr/share/scap-security-guide/bash/ssg-rhel8-role-ospp.sh # /usr/share/scap-security-guide/bash/ssg-rhel8-role-ospp.sh 3. Check the selinux Configuration file here: # less /etc/selinux/config Actual results: File: /etc/selinux/config ###BEGIN FILE### # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted # Per CCE-CCE-80868-3: Set SELINUXTYPE=targeted in /etc/sysconfig/selinux SELINUXTYPE=targeted # Per CCE-CCE-80869-1: Set SELINUX=enforcing in /etc/sysconfig/selinux SELINUX=enforcing ###END FILE### Note: It appends two duplicate entries to the file after script is ran. SELINUXTYPE=targeted SELINUX=enforcing Expected results: Script should not be adding additional SELINUX entries [ SELINUXTYPE=targeted , SELINUX=enforcing ] into the selinux configuration file. Additional info: