Bug 2169857

Summary: Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file
Product: Red Hat Enterprise Linux 8 Reporter: Adam Ibrahim <adibrahi>
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: MODIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: albert.campanya.soler, ekolesni, ggasparb, irene.diaz, jcerny, jjaburek, mhaicman, mlysonek, mmarhefk, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.Rules related to journald configuration are fixed Rules journald_compress, journald_forward_to_syslog and journald_storage previously contained a bug in the remediation script which caused that extra quotes were added to the respective configuration options within `/etc/systemd/journald.conf`. Consequently, this caused that the `journald` failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. That caused false pass results in the OpenSCAP results. The rules and remediations scripts have been fixed to not add the extra quotes and therefore produce a valid configuration for the journald.
 Story Points: ---
Clone Of:
: 2228437 2228438 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228437, 2228438    

Description Adam Ibrahim 2023-02-14 20:02:58 UTC 
Description of problem:
Applying fix provided by openscap to ensure journald is configured to write log files to persistent disk, causes systemd-journald to unable parse configuration. 

For example, to enable persistent journal, the fix modifies /etc/systemd/journald.conf to have the following value:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

systemd-journald does not recognize quotes on /etc/systemd/journald.conf file, it ignores it

How reproducible:
Install openscap-scanner scap-security-guide

Steps to Reproduce:
1. Ensure server is not using with persistent journal 
 # grep -i storage /etc/systemd/journald.conf 
#Storage=auto

2. Generate remediation shell script or ansible playbook
Bash script:
 # oscap xccdf generate fix --fix-type bash --output ScriptToRemediate.sh --result-id "" scan_results.xml
-------
Ansible Playbook:
 # oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml

3. Apply fix 
 # ./ScriptToRemediate.sh

Or 
 # ansible-playbook PlaybookToRemediate.yml

4- restart systemd-journald service to pick up new configuration


Actual results:
systemd-journald unable to parse 'Storage' value due to quotes:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

# service systemd-journald status
systemd-journald[30231]: /etc/systemd/journald.conf:18: Failed to parse storage setting, ignori>
systemd-journald[30231]: Journal started
systemd-journald[30231]: Runtime Journal \(/run/log/journal/b1e89bbf159b4603839b0dd4b439d941) is 3.1M, max 25.3M, 22.1M free.


Expected results:
# grep Storage /etc/systemd/journald.conf 
Storage=persistent
#Storage=auto

Additional info:
snippet of SHELL scrip:
~~~
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Storage', insert at
    # the end of the file.
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"   <=
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"     <=
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
~~~

This same issue is observed on RHEL 9, let me know if bugzilla needed to be file for it. I noticed on RHEL 9, CIS benchmark is noted as experimental:

# oscap info --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 

Description: This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the CIS benchmark for RHEL9, because this one was not available at time of the release.
Comment 1 Jan Černý 2023-02-20 15:47:30 UTC 
analysis:

The issue is reproducible with scap-security-guide-0.1.63-5.el8.noarch and is also present in current upstream as of 2023-02-20 as of HEAD 9a2ca6d9d4c41c5c5b6fe9a20a276271b0eb3db2.

The problem is excess quotes in OVAL, Bash and Ansible in rule journald_storage.

A possible fix can be to set "no_quotes: true" in the rule.yml in rule journald_storage.

Switching from openscap to correct component.
Comment 2 Jan Černý 2023-05-05 09:52:59 UTC 
There is a similar BZ for RHEL 8 with a broader scope https://bugzilla.redhat.com/show_bug.cgi?id=2193169. When fixing, you will need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.
Comment 3 Jan Černý 2023-07-10 15:18:03 UTC 
There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.
Comment 4 Jan Černý 2023-07-11 07:11:30 UTC 
A test for this BZ has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.
Comment 5 Jan Černý 2023-07-11 15:10:52 UTC 
PRs https://github.com/ComplianceAsCode/content/pull/10790 and https://github.com/ComplianceAsCode/content/pull/10817 have been merged upstream.