Bug 2193169

Summary: journald config parameters not set up correctly after oscap remediation
Product: Red Hat Enterprise Linux 9 Reporter: Julia Schindler <juschind>
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: VERIFIED --- QA Contact: Milan Lysonek <mlysonek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ekolesni, ggasparb, jcerny, jjaburek, mhaicman, mlysonek, mmarhefk, myllynen, openscap-maint, vpolasek
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el9 Doc Type: Bug Fix
Doc Text:
.Rules related to journald configuration are fixed Rules journald_compress, journald_forward_to_syslog and journald_storage previously contained a bug in the remediation script which caused that extra quotes were added to the respective configuration options within `/etc/systemd/journald.conf`. Consequently, this caused that the `journald` failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. That caused false pass results in the OpenSCAP results. The rules and remediations scripts have been fixed to not add the extra quotes and therefore produce a valid configuration for the journald.
 Story Points: ---
Clone Of:
: 2228439 2228440 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228439, 2228440    

Description Julia Schindler 2023-05-04 14:29:37 UTC 
Description of problem:

When doing a scap remediation with the CIS L2 server profile, the two rules "Ensure journald is configured to compress large log files" and "Ensure journald is configured to write log files to persistent disk" set up the following 2 entries in /etc/systemd/journald.conf:
Storage='persistent'
Compress='yes'

logs show
... systemd-journald[767]:/etc/systemd/journald.conf:18:Failed to parse storage setting, ignoring: 'persistent'
...  systemd-journald[767]:/etc/systemd/journald.conf:20:Failed to parse Compress= value, ignoring: 'yes'

journals are not stored persistently.


Version-Release number of selected component (if applicable):
RHEL9.1

How reproducible: always

Steps to Reproduce:
1. run a oscap xccdf eval --remediate with CIS L2 server profile when the mentioned settings are not already configured

Actual results:

/etc/systemd/journald.conf contains
Storage='persistent'
Compress='yes'

and journals are not stored persistently.

Expected results:

/etc/systemd/journald.conf contains
Storage=persistent
Compress=yes

and journals are stored persistently.
Comment 1 Jan Černý 2023-05-05 09:51:22 UTC 
analysis:
Problem is present also in current upstream as of 2023-05-05 as of head 68e93c73061f4abdcbdc1f870d1b608d23239b9b.

The problem is excess quotes in OVAL, Bash and Ansible in rules journald_storage and journald_compress.

This BZ is related to https://bugzilla.redhat.com/show_bug.cgi?id=2169857 which is the same problem but only in rule journald_storage and is for RHEL 9.

A possible fix can be to set "no_quotes: true" in the rule.yml in rules journald_storage and journald_compress. We need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.

Switching from openscap to correct component.
Comment 2 Jan Černý 2023-07-11 07:32:36 UTC 
There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.
A test for rule journald_storage has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.
A test for rule journald_compress has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10818.
Comment 3 Jan Černý 2023-07-11 15:08:12 UTC 
PRs https://github.com/ComplianceAsCode/content/pull/10790, https://github.com/ComplianceAsCode/content/pull/10817, and  https://github.com/ComplianceAsCode/content/pull/10818 have been merged upstream.