Bug 1935097
Summary: | Rule dir_perms_world_writable_root_owned fails after installing RHEL7 (Server with GUI) with ANSSI profile | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> | ||||||
Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> | ||||||
Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.9 | CC: | ggasparb, mhaicman, vpolasek, wsato | ||||||
Target Milestone: | rc | Keywords: | Triaged | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1973639 (view as bug list) | Environment: | |||||||
Last Closed: | 2021-10-07 09:17:27 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1973639 | ||||||||
Attachments: |
|
Description
Matus Marhefka
2021-03-04 12:01:37 UTC
Created attachment 1760670 [details]
HTML report from remediation during installation
Created attachment 1760671 [details]
HTML report from scan after installation
I can confirm that the issue is caused by the `accounts_polyinstantiated_tmp` rule, when this rule is unselected from the profile the issue does not occur. This is caused by directory '/tmp/tmp-inst' (created by remediation of 'accounts_polyinstantiated_tmp') not persisting after install. Very likely because the installation occurs in a 'chroot'ed environment. The workaround for this is to re-apply remediation for 'accounts_polyinstantiated_tmp': $ oscap xccdf eval --remediate --profile anssi_nt28_intermediary --rule xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml When trying to learn more about the polyinstantiation (also in our docs), I have stumbled upon this blog by Huzaifa: https://access.redhat.com/blogs/766093/posts/3169121 and some other materials. All of them say the `tmp-inst` should be a root directory, not subdirectory of `/tmp/`. Are you sure the rule works as expected, Vojto? |