.SCAP `journald` rules no longer remediate to invalid configuration
Previously, the SCAP Security Guide rules `journald_compress`, `journald_forward_to_syslog`, and `journald_storage` contained a bug in the remediation script which added extra quotes to the respective options within the `/etc/systemd/journald.conf` configuration file. Consequently, the `journald` service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective and OpenSCAP reported false pass results. With this update, the rules and remediations scripts have been fixed to not add the extra quotes. The rule now create a valid configuration for `journald`.
Description of problem:
Applying fix provided by openscap to ensure journald is configured to write log files to persistent disk, causes systemd-journald to unable parse configuration.
For example, to enable persistent journal, the fix modifies /etc/systemd/journald.conf to have the following value:
# grep Storage /etc/systemd/journald.conf
Storage='persistent'
#Storage=auto
systemd-journald does not recognize quotes on /etc/systemd/journald.conf file, it ignores it
How reproducible:
Install openscap-scanner scap-security-guide
Steps to Reproduce:
1. Ensure server is not using with persistent journal
# grep -i storage /etc/systemd/journald.conf
#Storage=auto
2. Generate remediation shell script or ansible playbook
Bash script:
# oscap xccdf generate fix --fix-type bash --output ScriptToRemediate.sh --result-id "" scan_results.xml
-------
Ansible Playbook:
# oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml
3. Apply fix
# ./ScriptToRemediate.sh
Or
# ansible-playbook PlaybookToRemediate.yml
4- restart systemd-journald service to pick up new configuration
Actual results:
systemd-journald unable to parse 'Storage' value due to quotes:
# grep Storage /etc/systemd/journald.conf
Storage='persistent'
#Storage=auto
# service systemd-journald status
systemd-journald[30231]: /etc/systemd/journald.conf:18: Failed to parse storage setting, ignori>
systemd-journald[30231]: Journal started
systemd-journald[30231]: Runtime Journal \(/run/log/journal/b1e89bbf159b4603839b0dd4b439d941) is 3.1M, max 25.3M, 22.1M free.
Expected results:
# grep Storage /etc/systemd/journald.conf
Storage=persistent
#Storage=auto
Additional info:
snippet of SHELL scrip:
~~~
if [ -z "$line_number" ]; then
# There was no match of '^#\s*Storage', insert at
# the end of the file.
printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf" <=
else
head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf" <=
tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
~~~
This same issue is observed on RHEL 9, let me know if bugzilla needed to be file for it. I noticed on RHEL 9, CIS benchmark is noted as experimental:
# oscap info --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Description: This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the CIS benchmark for RHEL9, because this one was not available at time of the release.
analysis:
The issue is reproducible with scap-security-guide-0.1.63-5.el8.noarch and is also present in current upstream as of 2023-02-20 as of HEAD 9a2ca6d9d4c41c5c5b6fe9a20a276271b0eb3db2.
The problem is excess quotes in OVAL, Bash and Ansible in rule journald_storage.
A possible fix can be to set "no_quotes: true" in the rule.yml in rule journald_storage.
Switching from openscap to correct component.
There is a similar BZ for RHEL 8 with a broader scope https://bugzilla.redhat.com/show_bug.cgi?id=2193169. When fixing, you will need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:7056
Description of problem: Applying fix provided by openscap to ensure journald is configured to write log files to persistent disk, causes systemd-journald to unable parse configuration. For example, to enable persistent journal, the fix modifies /etc/systemd/journald.conf to have the following value: # grep Storage /etc/systemd/journald.conf Storage='persistent' #Storage=auto systemd-journald does not recognize quotes on /etc/systemd/journald.conf file, it ignores it How reproducible: Install openscap-scanner scap-security-guide Steps to Reproduce: 1. Ensure server is not using with persistent journal # grep -i storage /etc/systemd/journald.conf #Storage=auto 2. Generate remediation shell script or ansible playbook Bash script: # oscap xccdf generate fix --fix-type bash --output ScriptToRemediate.sh --result-id "" scan_results.xml ------- Ansible Playbook: # oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml 3. Apply fix # ./ScriptToRemediate.sh Or # ansible-playbook PlaybookToRemediate.yml 4- restart systemd-journald service to pick up new configuration Actual results: systemd-journald unable to parse 'Storage' value due to quotes: # grep Storage /etc/systemd/journald.conf Storage='persistent' #Storage=auto # service systemd-journald status systemd-journald[30231]: /etc/systemd/journald.conf:18: Failed to parse storage setting, ignori> systemd-journald[30231]: Journal started systemd-journald[30231]: Runtime Journal \(/run/log/journal/b1e89bbf159b4603839b0dd4b439d941) is 3.1M, max 25.3M, 22.1M free. Expected results: # grep Storage /etc/systemd/journald.conf Storage=persistent #Storage=auto Additional info: snippet of SHELL scrip: ~~~ if [ -z "$line_number" ]; then # There was no match of '^#\s*Storage', insert at # the end of the file. printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf" <= else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf" <= tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi ~~~ This same issue is observed on RHEL 9, let me know if bugzilla needed to be file for it. I noticed on RHEL 9, CIS benchmark is noted as experimental: # oscap info --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml Description: This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the CIS benchmark for RHEL9, because this one was not available at time of the release.