Bug 2032403

Summary: openscap cis_server_level1 benchmark list mount option requirement for /var/tmp but does not require separate /var/tmp
Product: Red Hat Enterprise Linux 8 Reporter: Ameya Patil <amepatil>
Component: scap-security-guideAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.5CC: ggasparb, jafiala, matyc, mhaicman, mjahoda, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.63-3.el8 Doc Type: Enhancement
Doc Text:
.SSG rules for mount options no longer fail incorrectly if the `/tmp` and `/var/tmp` partitions do not exist Previously, the SCAP Security Guide (SSG) rules for mount options of `/tmp` and `/var/tmp` partitions were incorrectly reporting the `fail` result if such partitions did not exist on the system. This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when the partition exists and the system does not have correct mount options. If these mount options are essential for a particular policy, a rule that prescribes the existence of such partitions should be present in the profile, and that one rule should fail.
 Story Points: ---
Clone Of:
: 2117510 2117511 (view as bug list) Environment:
Last Closed: 2022-11-08 09:39:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2117510, 2117511    

Description Ameya Patil 2021-12-14 12:41:17 UTC 
Description of problem:

The new RHEL 8.5 security guide has the updated CIS profile which include Level 1 and Level 2 for servers for RHEL 7

~~~
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml  | grep -i cis
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
~~~

While performing SCAP scan from RHEL 8.5 system to RHEL 7.9 using oscap-sshd.

The issue is that the Level 1 server profile has entries for separate /tmp partition but not the separate /var/tmp
But Level 1 server profile also has rule for /var/tmp should have mount options of nosuid,noexec,nodev
Since separate partition is not a requirement /var/tmp should not be requiring mount options like these.



Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Perform oscap scan from RHEL 8.5 system with new version of scap-security-guide to a RHEL 7.9 system, you can use the oscap-ssh command for this.

2. We see in the scan result , the requirement is /tmp should be located on separate partition while not /var/tmp.
  However the mount option are being checked even against /var/tmp

~~~
# oscap-ssh root@rhel7 <PORT> xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1  /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml


...[output skipped]...


Title   Ensure /tmp Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_tmp
Ident   CCE-82053-0
Result  fail


...[output skipped]...


Title   Add nodev Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Ident   CCE-80149-8
Result  fail


Title   Add noexec Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Ident   CCE-80150-6
Result  fail


Title   Add nosuid Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Ident   CCE-80151-4
Result  fail


Title   Add nodev Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Ident   CCE-81052-3
Result  fail


Title   Add noexec Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Ident   CCE-82150-4
Result  fail


Title   Add nosuid Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Ident   CCE-82153-8
Result  fail


...[output skipped]...


~~~


Actual results:
Oscap rule fail for /var/tmp mount option since /var/tmp is not a necessary partition for this policy and hence was not created.

Expected results:
Policy should either be also checking for /var/tmp to be located on separate partition or not have mount option requirement for it.

Additional info:
CIS Server L2 has required for /var/tmp on separate partition.
Comment 2 Vojtech Polasek 2021-12-16 10:11:15 UTC 
Hello Ameya,
the rule should stay in the profile, the CIS benchmark says so. Although the requirement for /var/tmp partition is in Level 2 profile, possible mount options are already in Level 1 profile.
But the rule should be smart and check if the partition actually exists. If it does not, it will show as "not applicable". This is not happening now and I think we can implement that.
Is this acceptable for the customer?
Here is excerpt from the CIS RHEL7 benchmark:
###
1.1.12 Ensure /var/tmp partition includes the noexec option (Automated)
Profile Applicability:
  Level 1 - Server
  Level 1 - Workstation
Description:
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Rationale:
Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp.
Audit:
If a /var/tmp partition exists, run the following command to verify that the noexec option is set:
# findmnt -n /var/tmp | grep -Ev '\bnoexec\b'

Nothing should be returned
Remediation:
For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information.
Run the following command to remount /var/tmp :
# mount -o remount,noexec /var/tmp
###
Comment 8 Matěj Týč 2022-07-29 08:42:42 UTC 
https://github.com/ComplianceAsCode/content/pull/9204
Comment 11 Matěj Týč 2022-08-10 14:02:19 UTC 
There are now more PRs that address this BZ:

https://github.com/ComplianceAsCode/content/pull/9204
https://github.com/ComplianceAsCode/content/pull/9324
Comment 21 Watson Yuuma Sato 2022-08-17 15:16:00 UTC 
This PR was also required https://github.com/ComplianceAsCode/content/pull/9339
Comment 27 errata-xmlrpc 2022-11-08 09:39:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7563