Bug 2023569

Summary: Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not actually remediate failed test results
Product: Red Hat Enterprise Linux 8 Reporter: kmoriguc
Component: scap-security-guideAssignee: Gabriel Gaspar Becker <ggasparb>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.4CC: ggasparb, jafiala, matyc, mhaicman, mlysonek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.60-1.el8 Doc Type: Bug Fix
Doc Text:
.Descriptions for `restorecon` and `seunshare` SSG rules fixed Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the descriptions of these rules are aligned with the automated OVAL check. As a result, applying the fix recommended in the description now correctly fixes these rules.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 14:15:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
A samle test result against RHEL 8.4 server none

Description kmoriguc 2021-11-16 03:53:45 UTC
Created attachment 1841934 [details]
A samle test result against RHEL 8.4 server

Description of problem:
Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not actually remediate failed test results

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch.rpm

How reproducible:
100%

Steps to Reproduce:
1. Run evaluation with:
Profile ID	xccdf_org.ssgproject.content_profile_ism_o 
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8

2. The test report includes failed results for 
- Record Any Attempts to Run restorecon
- Record Any Attempts to Run seunshare
Respective remediation is to add audit rules:
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged

3. Re-run of the evaluation will not remediate these two errors.
The actual audit rules required to remediate failed results are respectively:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Actual results:
"Description" in the test report do not remediate failed results.

Expected results:
"Description" in the test report remediates failed results.

Additional info:

Comment 2 Gabriel Gaspar Becker 2021-11-16 12:29:08 UTC
Fix proposed upstream: https://github.com/ComplianceAsCode/content/pull/7885

Comment 20 errata-xmlrpc 2022-05-10 14:15:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1900