Bug 2013159

Summary:	rsyslog_encrypt_offload_* rules fail after ansible remediation
Product:	Red Hat Enterprise Linux 8	Reporter:	Milan Lysonek <mlysonek>
Component:	scap-security-guide	Assignee:	Vojtech Polasek <vpolasek>
Status:	CLOSED ERRATA	QA Contact:	Milan Lysonek <mlysonek>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.5	CC:	ggasparb, mhaicman, wsato
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	scap-security-guide-0.1.59-1.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 14:15:29 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milan Lysonek 2021-10-12 09:18:07 UTC

Description of problem:
rsyslog_encrypt_offload_* ansible remediations set incorrect option to rsyslog configuration file.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. ansible-playbook -t rsyslog_encrypt_offload_actionsendstreamdrivermode -i "localhost," /usr/share/scap-security-guide/ansible/rhel8-playbook-stig.yml
2. oscap xccdf eval --profile stig --rule xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual results:
Scan result is fail

Expected results:
Scan result is pass

Additional info:
Content project has 3 rsyslog_encrypt_offload_* rules:
- rsyslog_encrypt_offload_actionsendstreamdriverauthmode
- rsyslog_encrypt_offload_actionsendstreamdrivermode
- rsyslog_encrypt_offload_defaultnetstreamdriver

As an example, I will describe rsyslog_encrypt_offload_defaultnetstreamdriver rule:
The rsyslog option has $ prefix, in this case the option is $DefaultNetstreamDriver. But after application of ansible remediation the configuration file has this content:
\$DefaultNetstreamDriver gtls

The option is wrong in ansible playbook, the dollar sign should not be escaped.

Comment 1 Vojtech Polasek 2021-10-14 09:58:33 UTC

Analysis:
The ansible playbook contains \$ where there should be only $. This occurs at the begining of configuration line.
This has been fixed upstream:
https://github.com/ComplianceAsCode/content/pull/7570
But I am not moving it into the POST state, as I think that the fix might be not ideal. It drops the backslash from the $ sign. But the line is used both as regex and as a line to be inserted. By dropping the backlash, the regex becames wrong. I will try to suggest a fix.

Comment 2 Watson Yuuma Sato 2021-12-01 13:27:52 UTC

This patch follows up on Vojtech's concerns:
https://github.com/ComplianceAsCode/content/pull/7755

Comment 15 errata-xmlrpc 2022-05-10 14:15:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1900