Bug 2020626

Summary: The sshd_enable_warning_banner rule creates bogus file /etc/ssh/sshd_config.d/hardening
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ggasparb, jpazdziora, matyc, mhaicman, mlysonek, vpolasek
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.60-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 13:53:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2021-11-05 12:40:26 UTC 
Description of problem:

When remediating with the sshd_enable_warning_banner rule in the OSPP profile, file /etc/ssh/sshd_config.d/hardening gets created which does affect the configuration because /etc/ssh/sshd_config states

  Include /etc/ssh/sshd_config.d/*.conf

so it only processes files with .conf extension.

Polluting filesystem with with unnecessary empty files is not nice.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.57-5.el9

How reproducible:

Deterministic.

Steps to Reproduce:
1. Check content of /etc/ssh/sshd_config.d with
   ls -la /etc/ssh/sshd_config.d
2. Remediate the sshd_enable_warning_banner rule:
   oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
3. Check content of /etc/ssh/sshd_config.d again with
   ls -la /etc/ssh/sshd_config.d

Actual results:

total 8
drwx------. 2 root root   28 Nov  5 07:33 .
drwxr-xr-x. 4 root root 4096 Nov  5 07:35 ..
-rw-------. 1 root root  719 Oct 25 05:46 50-redhat.conf

WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title	Enable SSH Warning Banner
Rule	xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident	CCE-90807-9
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Result	fail
 --- Starting Remediation ---
Title	Enable SSH Warning Banner
Rule	xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident	CCE-90807-9
Result	fixed

total 12
drwx------. 2 root root   87 Nov  5 07:36 .
drwxr-xr-x. 4 root root 4096 Nov  5 07:36 ..
-rw-r--r--. 1 root root   18 Nov  5 07:36 00-complianceascode-hardening.conf
-rw-------. 1 root root  719 Nov  5 07:36 50-redhat.conf
-rw-r--r--. 1 root root    0 Nov  5 07:36 hardening

Expected results:

total 8
drwx------. 2 root root   28 Nov  5 07:33 .
drwxr-xr-x. 4 root root 4096 Nov  5 07:35 ..
-rw-------. 1 root root  719 Oct 25 05:46 50-redhat.conf

WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title	Enable SSH Warning Banner
Rule	xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident	CCE-90807-9
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Result	fail
 --- Starting Remediation ---
Title	Enable SSH Warning Banner
Rule	xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident	CCE-90807-9
Result	fixed

total 10
drwx------. 2 root root   87 Nov  5 07:36 .
drwxr-xr-x. 4 root root 4096 Nov  5 07:36 ..
-rw-r--r--. 1 root root   18 Nov  5 07:36 00-complianceascode-hardening.conf
-rw-------. 1 root root  719 Nov  5 07:36 50-redhat.conf

-- the hardening file not present.

Additional info:
Comment 4 Matěj Týč 2021-12-15 10:52:43 UTC 
Fixed by a rebase in 0.1.58
Comment 18 errata-xmlrpc 2022-05-17 13:53:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: scap-security-guide), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2610