RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1223865 - openscap correct way to disable bluetooth
Summary: openscap correct way to disable bluetooth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Lieskovsky
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks: 1172231 1271982
TreeView+ depends on / blocked
 
Reported: 2015-05-21 14:59 UTC by Stuart Auchterlonie
Modified: 2020-02-14 17:30 UTC (History)
4 users (show)

Fixed In Version: scap-security-guide-0.1.27-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 21:39:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0846 0 normal SHIPPED_LIVE scap-security-guide bug fix update 2016-05-10 22:42:59 UTC

Description Stuart Auchterlonie 2015-05-21 14:59:25 UTC 
Description of problem:

The openscap security guide for RHEL 5/6/7 now recommends
either disabling the bluetooth module or the net-pf-31 module
as a result of https://github.com/OpenSCAP/scap-security-guide/issues/319

I've been doing some testing across RHEL5/6/7 with varying results
(see below) and am keen to get some clarification on what is the
correct way of doing this, and if there is a change needed in
the security guide

My findings are that disabling net-pf-31 module only prohibits the
bluetooth service from starting, but does not prevent an explicit
modprobe of the bluetooth module.

Disabling the bluetooth module, but not the net-pf-31 module,
prevents both the service from starting and explicit module
loads on RHEL6 and RHEL7, however under RHEL5 the service can
be started if the net-pf-31 module is not disabled.



Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce: (RHEL 5)
* net-pf-31 module disabled, bluetooth module enabled
- service bluetooth start (fails to start due to not being able to load net-pf-31)
- modprobe bluetooth (succeeds)

* net-pf-31 module enabled, bluetooth module disabled
- service bluetooth start (succeeds)
- modprobe bluetooth (fails to load)

* net-pf-31 module disabled, bluetooth module disabled
- service bluetooth start (fails)
- modprobe bluetooth (fails)

So RHEL5 appears to need both lines

Steps to Reproduce: (RHEL6 & RHEL7)
(For RHEL7 substitute the relevant systemctl cmd)

* net-pf-31 module disabled, bluetooth module enabled
- service bluetooth start (fails)
- modprobe bluetooth (succeeds)

* net-pf-31 module enabled, bluetooth module disabled
- service bluetooth start (fails)
- modprobe bluetooth fails

Additional info:
Comment 1 Jan Lieskovsky 2015-05-21 15:48:54 UTC 
Thank you for the report, Stuart.

Changing component to the appropriate one (scap-security-guide).
Comment 3 Jan Lieskovsky 2015-12-15 10:23:36 UTC 
(In reply to Stuart Auchterlonie from comment #0)

Hello Stuart,

  thank you for your report. Couple of things need to be clarified WRT to this request. Please see below.

> Description of problem:
> 

> My findings are that disabling net-pf-31 module only prohibits the
> bluetooth service from starting, but does not prevent an explicit
> modprobe of the bluetooth module.

The current form of "kernel_module_bluetooth_disabled" rule for RHEL/6 and RHEL/7 products recommends solely the "bluetooth" module to be disabled:

* https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/xccdf/system/network/wireless.xml#L95 (RHEL/6 case)
* https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/xccdf/system/network/wireless.xml#L91 (RHEL/7 case)

But this report is correct in the sense former versions of the OVAL check for this rule allowed the OS system feature check to pass when (at least one of) either 'net-pf-31' module, or 'bluetooth' kernel module have been disabled.

Since as clarified in the following paragraph only in the case 'bluetooth' module is explicitly disabled on RHEL/6 and RHEL/7 products both conditions / requirements are satisfied (the bluetooth service fails to start and it's not possible to load bluetooth kernel module even by explicit call of e.g. 'modprobe bluetooth' command), the former version of the underlying OVAL check has been modified (for both RHEL/6 and RHEL-7 products) to explicitly require "install bluetooth /bin/true" option to be present in some of the "/etc/modprobe.d" configuration files. The corresponding upstream patch performing this change is the following:

  [1] https://github.com/OpenSCAP/scap-security-guide/commit/4ac1337d8bbe341cf1e81fdcfaa2bfb0f92cdc16

> 
> Disabling the bluetooth module, but not the net-pf-31 module,
> prevents both the service from starting and explicit module
> loads on RHEL6 and RHEL7, however under RHEL5 the service can
> be started if the net-pf-31 module is not disabled.

The Red Hat Enterprise Linux 5 system is NOT supported by the benchmarks (security checklists) provided by the scap-security-package (provided SSG benchmarks for RHEL-6 and RHEL-7 would not even work on Red Hat Enterprise Linux 5 system). Therefore as of right now there is no plan to modify existing RHEL-6 and RHEL-7 benchmarks in SSG to clarify / support the 'kernel module bluetooth' behaviour / situation on Red Hat Enterprise Linux 5 system (just wanted this to be explicitly stated).

Finally, FWIW regarding the:
* 'install bluetooth /bin/false', vs
* 'install bluetooth /bin/true'

recommendation (former confusion which of the '/bin/false' vs '/bin/true' executables is better to be recommended for disabling the kernel modules in RHEL/6 and RHEL/7 products), the upstream consensus has been made that '/bin/true' is better to be used. Particular upstream change performing this modification are the following:

  [2] https://github.com/OpenSCAP/scap-security-guide/pull/541
  [3] https://github.com/OpenSCAP/scap-security-guide/commit/0053409c311056f5bc4d8430cc752fe4de5fac2c

To summary the current expected situation regarding to kernel modules loading on both RHEL/6 and RHEL/7 system is as follows:
* the XCCDF (the prose) will recommend '/bin/true' binary to be used for disabling,
* the underlying / corresponding OVAL checks will allow both executables ('/bin/true' and '/bin/false' to be specified. Since '/bin/false' is equivalent setting to the '/bin/true' case just has a side effect of printing a warning message that attempt to load particular kernel module failed. This option is kept supported / honoured for compatibility reasons), and finally
* the corrective (remediation) scripts (if particular OS system feature not configured at all) will prefer the '/bin/true' executable when performing the correction (so newly remediated system would have the new agreed approach configured).
  

> 
> 
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible: 100%
> 
> 
> Steps to Reproduce: (RHEL 5)
> * net-pf-31 module disabled, bluetooth module enabled
> - service bluetooth start (fails to start due to not being able to load
> net-pf-31)
> - modprobe bluetooth (succeeds)
> 
> * net-pf-31 module enabled, bluetooth module disabled
> - service bluetooth start (succeeds)
> - modprobe bluetooth (fails to load)
> 
> * net-pf-31 module disabled, bluetooth module disabled
> - service bluetooth start (fails)
> - modprobe bluetooth (fails)
> 
> So RHEL5 appears to need both lines
> 
> Steps to Reproduce: (RHEL6 & RHEL7)
> (For RHEL7 substitute the relevant systemctl cmd)
> 
> * net-pf-31 module disabled, bluetooth module enabled
> - service bluetooth start (fails)
> - modprobe bluetooth (succeeds)
> 
> * net-pf-31 module enabled, bluetooth module disabled
> - service bluetooth start (fails)
> - modprobe bluetooth fails
> 
> Additional info:

Hope the above being helpful.

Regards, Jan.
Comment 5 Marek Haicman 2016-03-04 17:04:07 UTC 
Verified that above-mentioned approach in handling bluetooth disablement is present in scap-security-guide-0.1.28-2.el6
Comment 7 errata-xmlrpc 2016-05-10 21:39:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html
Note You need to log in before you can comment on or make changes to this bug.