Bug 2162803

Summary: Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile
Product: Red Hat Enterprise Linux 8 Reporter: ckrell
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: high Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 8.7CC: abjoshi, ggasparb, jafiala, jjaburek, mhaicman, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: Bug Fix
Doc Text:
.Rules for CIS profiles in `scap-security-guide` are better aligned Previously, some rules were incorrectly assigned to certain Center for Internet Security (CIS) profiles (`cis`, `cis_server_l1`, `cis_workstation_1`, and `cis_workstation_l2`). As a consequence, scanning according to some CIS profiles could skip rules from the CIS benchmark or check for unnecessary rules. The following rules were assigned to incorrect profiles: * Rules `kernel_module_udf_disabled`, `sudo_require_authentication` and `kernel_module_squashfs_disabled` were incorrectly placed in CIS Server Level 1 and CIS Workstation Level 1. * Rules `package_libselinux_installed`, `grub2_enable_selinux`, `selinux_policytype`, `selinux_confinement_of_daemons`, `rsyslog_nolisten`, `service_systemd-journald_enabled` were missing from CIS Server Level 1 and CIS Workstation Level 1 profiles. * Rules `package_setroubleshoot_removed` and `package_mcstrans_removed` were missing from the CIS Server Level 1 profile. This update assigns the misaligned rules to the correct CIS profiles, but does not introduce new rules or entirely removes any rules. As a result, SCAP CIS profiles are better aligned with the original CIS benchmark.
 Story Points: ---
Clone Of:
: 2168072 2168073 2168074 (view as bug list) Environment:
Last Closed: 2023-05-16 08:39:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2168072, 2168073, 2168074    

Description ckrell 2023-01-21 00:20:46 UTC 
Description of problem:
The following two benchmarks show under the CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server; however CIS Red Hat Enterprise Linux 8 Benchmark
v2.0.0 - 02-23-2022 lists these as Level 2 benchmarks:

~~~
Title   Ensure Users Re-Authenticate for Privilege Escalation - sudo
Rule    xccdf_org.ssgproject.content_rule_sudo_require_authentication
Ident   CCE-82279-1
--
Title   Disable Mounting of squashfs
Rule    xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
Ident   CCE-83498-6
~~~

From "CIS Red Hat Enterprise Linux 8 Benchmarkv2.0.0 - 02-23-2022" at cisecurity.org

~~~
1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated)
Profile Applicability:
• Level 2 - Server
• Level 2 - Workstation

5.3.4 Ensure users must provide password for escalation (Automated)
Profile Applicability:
• Level 2 - Server
• Level 2 - Workstation
~~~

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install scap-security-guide-0.1.63-4.el8.noarch
2. View the benchmarks under CIS server Level 1 with: 
# sed -n -e '/xccdf-1.2:Profile id=\"xccdf_org.ssgproject.content_profile_cis_server_l1\"/,/<\/xccdf-1.2:Profile>/ p' /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml &> /tmp/CIS_Level_1_benchmarks.out
3. Grep for the specific rules:
# grep xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled /tmp/CIS_Level_1_benchmarks.out
# grep xccdf_org.ssgproject.content_rule_sudo_require_authentication /tmp/CIS_Level_1_benchmarks.out

Actual results:

Rules appear with selected="true" under CIS Level 1 profiles for workstation and server

Expected results:
Rules only with selected="true" under CIS Level 2 profiles

Additional Info:

I searched the ComplianceAsCode github repository and didn't see any open issues for these two rules:
kernel_module_squashfs_disabled
sudo_require_authentication
Comment 2 Vojtech Polasek 2023-01-23 11:23:57 UTC 
Fixed upstrea: https://github.com/ComplianceAsCode/content/pull/10109
Comment 9 Vojtech Polasek 2023-02-02 08:16:09 UTC 
Additional fixes relevant to this BZ are in upstream: https://github.com/ComplianceAsCode/content/pull/10155
Comment 32 errata-xmlrpc 2023-05-16 08:39:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869