Bug 1935097

Summary: Rule dir_perms_world_writable_root_owned fails after installing RHEL7 (Server with GUI) with ANSSI profile
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: ggasparb, mhaicman, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1973639 (view as bug list) Environment:
Last Closed: 2021-10-07 09:17:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1973639    
Attachments:
Description Flags
HTML report from remediation during installation
none
HTML report from scan after installation none

Description Matus Marhefka 2021-03-04 12:01:37 UTC 
Description of problem:
Rule `dir_perms_world_writable_root_owned` fails after installing RHEL7 (Server with GUI) with ANSSI profile. The finding is caused by the directory `/tmp/.ICE-unix/` which is not owned by root but by a user (with UID 1000). Normal installation (without ANSSI security profile) is not affected and the directory is correctly owned by the root user, so the ANSSI profile remediations must be causing this.


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.54-3.el7_9


How reproducible:
always


Steps to Reproduce:
1. Install RHEL-7.9 Server with GUI variant and select ANSSI security policy.
2. Scan system with openscap after installation.
3. Rule dir_perms_world_writable_root_owned is reported as fail.


Actual results:
Rule `dir_perms_world_writable_root_owned` fails after installing RHEL-7.9 with the ANSSI profile.


Expected results:
Rule `dir_perms_world_writable_root_owned` passes after installing RHEL-7.9 with the ANSSI profile.


Additional info:
Comment 2 Matus Marhefka 2021-03-04 12:03:05 UTC 
Created attachment 1760670 [details]
HTML report from remediation during installation
Comment 3 Matus Marhefka 2021-03-04 12:03:44 UTC 
Created attachment 1760671 [details]
HTML report from scan after installation
Comment 4 Matus Marhefka 2021-03-04 15:59:45 UTC 
I can confirm that the issue is caused by the `accounts_polyinstantiated_tmp` rule, when this rule is unselected from the profile the issue does not occur.
Comment 5 Watson Yuuma Sato 2021-03-10 12:32:42 UTC 
This is caused by directory '/tmp/tmp-inst' (created by remediation of 'accounts_polyinstantiated_tmp') not persisting after install. Very likely because the installation occurs in a 'chroot'ed environment.

The workaround for this is to re-apply remediation for 'accounts_polyinstantiated_tmp':
$ oscap xccdf eval --remediate --profile anssi_nt28_intermediary --rule xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Comment 7 Marek Haicman 2021-09-17 22:08:13 UTC 
When trying to learn more about the polyinstantiation (also in our docs), I have stumbled upon this blog by Huzaifa: https://access.redhat.com/blogs/766093/posts/3169121 and some other materials. All of them say the `tmp-inst` should be a root directory, not subdirectory of `/tmp/`. Are you sure the rule works as expected, Vojto?