Bug 2227808

Summary: Unexpected changes of variable values in generated remediations in customized profiles
Product: Red Hat Enterprise Linux 9 Reporter: Jan Černý <jcerny>
Component: scap-workbenchAssignee: Matěj Týč <matyc>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3CC: mhaicman, mmarhefk, wsato
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Černý 2023-07-31 14:48:56 UTC 
Description of problem:

The Ansible Playbook generated from the shipped profile and Ansible Playbook generated
from customized profile differ in more values than were actually customized.

Version-Release number of selected component (if applicable):

scap-workbench-1.2.1-13.el9.x86_64
openscap-1.3.8-1.el9.x86_64
scap-security-guide-0.1.66-1.el9_1.noarch

How reproducible:

deterministically

Steps to reproduce:

1. Run scap-workbench from the terminal.
2. On the "Open SCAP Security Guide" screen, select RHEL 9 and click on Load Content.
3. Choose "CIS RHEL 9 Benchmark for Level 2 - Server" profile in the Profile dropdown.
4. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis.yml".
5. Click on Customize, choose custom profile ID, change the value of var_accounts_tmout value and confirm "OK".
6. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis_customized.yml".
7. Run a diff of the 2 playbooks in the terminal: diff -u cis.yml cis_customized.yml

Actual results:

A lot of values differ in the generated Playbook. But only a single value was changed in the Customization Window.

8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

[test@kvm-06-guest39 ~]$ diff -u cis.yml cis_customized.yml 
--- cis.yml	2023-07-31 10:36:00.955711462 -0400
+++ cis_customized.yml	2023-07-31 10:36:41.509035586 -0400
@@ -1,7 +1,7 @@
 ---
 ###############################################################################
 #
-# Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
+# Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server [CUSTOMIZED]
 #
 # Profile Description:
 # This profile defines a baseline that aligns to the "Level 2 - Server"
@@ -10,13 +10,13 @@
 # This profile includes Center for Internet Security®
 # Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
 #
-# Profile ID:  xccdf_org.ssgproject.content_profile_cis
+# Profile ID:  xccdf_org.ssgproject.content_profile_cis_customized
 # Benchmark ID:  xccdf_org.ssgproject.content_benchmark_RHEL-9
 # Benchmark Version:  0.1.66
 # XCCDF Version:  1.2
 #
 # This file was generated by OpenSCAP 1.3.8 using:
-# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis --fix-type ansible xccdf-file.xml
+# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_customized --fix-type ansible xccdf-file.xml
 #
 # This Ansible Playbook is generated from an OpenSCAP profile without preliminary evaluation.
 # It attempts to fix every selected rule, even if the system is already compliant.
@@ -33,28 +33,28 @@
   vars:
     var_system_crypto_policy: !!str DEFAULT
     inactivity_timeout_value: !!str 900
-    var_screensaver_lock_delay: !!str 5
+    var_screensaver_lock_delay: !!str 0
     var_sudo_logfile: !!str /var/log/sudo.log
     var_sudo_timestamp_timeout: !!str 5
-    var_authselect_profile: !!str sssd
-    login_banner_text: !!str ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+    var_authselect_profile: !!str minimal
+    login_banner_text: !!str ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
     var_password_pam_remember: !!str 5
-    var_password_pam_remember_control_flag: !!str requisite,required
+    var_password_pam_remember_control_flag: !!str requisite
     var_accounts_passwords_pam_faillock_deny: !!str 3
-    var_accounts_passwords_pam_faillock_unlock_time: !!str 900
-    var_password_pam_minclass: !!str 4
-    var_password_pam_minlen: !!str 14
+    var_accounts_passwords_pam_faillock_unlock_time: !!str 0
+    var_password_pam_minclass: !!str 3
+    var_password_pam_minlen: !!str 15
     var_password_pam_retry: !!str 3
-    var_account_disable_post_pw_expiration: !!str 30
-    var_accounts_maximum_age_login_defs: !!str 365
-    var_accounts_minimum_age_login_defs: !!str 1
+    var_account_disable_post_pw_expiration: !!str 35
+    var_accounts_maximum_age_login_defs: !!str 60
+    var_accounts_minimum_age_login_defs: !!str 7
     var_accounts_password_warn_age_login_defs: !!str 7
-    var_accounts_tmout: !!str 900
+    var_accounts_tmout: !!str 1800
     var_accounts_user_umask: !!str 027
     var_auditd_action_mail_acct: !!str root
-    var_auditd_admin_space_left_action: !!str halt
+    var_auditd_admin_space_left_action: !!str single
     var_auditd_max_log_file: !!str 6
-    var_auditd_max_log_file_action: !!str keep_logs
+    var_auditd_max_log_file_action: !!str rotate
     var_auditd_space_left_action: !!str email
     sysctl_net_ipv6_conf_all_accept_ra_value: !!str 0
     sysctl_net_ipv6_conf_all_accept_redirects_value: !!str 0
@@ -79,13 +79,13 @@
     var_selinux_policy_name: !!str targeted
     var_selinux_state: !!str enforcing
     var_postfix_inet_interfaces: !!str loopback-only
-    var_multiple_time_servers: !!str 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
+    var_multiple_time_servers: !!str 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
     var_sshd_set_keepalive: !!str 0
-    sshd_idle_timeout_value: !!str 900
+    sshd_idle_timeout_value: !!str 300
     var_sshd_set_login_grace_time: !!str 60
     sshd_max_auth_tries_value: !!str 4
     var_sshd_max_sessions: !!str 10
-    var_sshd_set_maxstartups: !!str 10:30:60
+    var_sshd_set_maxstartups: !!str 10:30:100
   tasks:
     - name: Ensure aide is installed
       package:

8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---


Expected results:

The Playbooks will differ only in the variable value that has been changed in the Customization UI and other values stay the same.

Additional info:

This bug is also reproducible on Fedora 38 with these RPM versions:
scap-workbench-1.2.1-12.fc37.x86_64
openscap-1.3.8-1.fc38.x86_64
scap-security-guide-0.1.68-1.fc38.noarch
Comment 1 Jan Černý 2023-08-01 10:48:27 UTC 
Next to RHEL 9.3 and Fedora 38, I have successfully reproduced this bug also on RHEL 9.2, RHEL 8.8, RHEL 8.4. I have used these versions of packages:

RHEL 9.2:
scap-workbench-1.2.1-13.el9.x86_64
scap-security-guide-0.1.66-1.el9_1.noarch
openscap-1.3.7-1.el9.x86_64

RHEL 8.8:
scap-workbench-1.2.0-8.el8.x86_64
scap-security-guide-0.1.66-2.el8.noarch
openscap-1.3.7-1.el8.x86_64

RHEL 8.4:
scap-workbench-1.2.0-8.el8.x86_64
scap-security-guide-0.1.54-5.el8.noarch
openscap-1.3.4-5.el8.x86_64

Therefore I think that this bug is a longstanding problem.
Comment 2 Jan Černý 2023-08-03 14:02:19 UTC 
The bug can be worked around by generating the Playbooks on the command line using the `oscap` tool instead of SCAP Workbench.
First, save the tailoring file to a file and then run:
oscap xccdf generate fix --fix-type ansible --profile cis_customized --tailoring-file tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > custom.yml
Comment 3 RHEL Program Management 2023-08-17 14:26:34 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.