Bug 2223471
| Summary: | incorrect remediation description for xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading in xccdf_org.ssgproject.content_profile_ism_o | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Daniel Reynolds <dareynol> | ||||
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | ||||
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 9.2 | CC: | ggasparb, matyc, mhaicman, mlysonek, openscap-maint, vpolasek | ||||
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1976292 [details] oscap html report Description of problem: In the ISM openscap benchmark xccdf_org.ssgproject.content_profile_ism_o, the rule "Ensure auditd Collects Information on Kernel Module Loading and Unloading" (xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading) describes the remediation as: ~~~ -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules ~~~ This is incorrect, the actual remediation is: ~~~ -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules ~~~ Note, --remediate option correctly implements the fix. This is an error for the report generated. Version-Release number of selected component (if applicable): scap-security-guide-0.1.66-1.el9_1 How reproducible: Always. Steps to Reproduce: 1. Run a security scan ~~~ sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ism_o --report ~/scan-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml ~~~ 2. Open up 'scan-report.html', click on the link 'Record Information on Kernel Modules Loading and Unloading 1x fail' Actual results: ~~~ Description To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. ~~~ Expected results: Something similar to, ~~~ Description To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. ~~~