RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1309037 - oscap remediation scripts for /etc/security/pwquality.conf have logic holes.
Summary: oscap remediation scripts for /etc/security/pwquality.conf have logic holes.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Lieskovsky
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-16 17:50 UTC by Chinmay Paradkar
Modified: 2019-12-16 05:24 UTC (History)
3 users (show)

Fixed In Version: scap-security-guide-0.1.30-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 07:33:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2483 0 normal SHIPPED_LIVE scap-security-guide bug fix and enhancement update 2016-11-03 14:09:28 UTC

Description Chinmay Paradkar 2016-02-16 17:50:49 UTC 
Description of problem:
The file /etc/security/pwquality.conf is not remediated as expected in all cases. The oscap implementation logic only works if something like the original default RHEL pwquality.conf file exists, not for any general file.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.25-3.el7

How reproducible:
Always

Steps to Reproduce:
On RHEL 7.x (any version) where /etc/security/pwquality.conf has been replaced. For example, if the file contains only the single line "dcredit = -1" and we specify in tailoring file that we want "ucredit = -1", remediation will fail. This is because all of the pwquality.conf remediation scripts handle the case where target variable is defined ("ucredit = 2") or where the target variable appears in a comment ("# ucredit = 1") but no test is made for if the variable does not appear at all -- in this case, the script logic falls through without doing anything, instead of appending to the file.

Additional info:
The easiest way to reproduce this is to get oscap to generate a fix script so we can more easily see what it's trying to do:

# d=`date +%m%d%H%M`
oscap xccdf generate fix \
--template urnccdf:fix:script:sh \
--profile stig-rhel7-server-upstream_hpes \
--tailoring-file ssg-rhel7-tailoring-hpe-v03.xml \
--output remediate.$d.sh \
ssg-rhel7-xccdf.xml \
|& tee makefix.$d.log

Let's pick on ucredit here but everything having to do with pwquality
has exactly the same problem. The generated code in the remediate.*.sh script
looks like this:

var_password_pam_ucredit="-1"
if egrep -q ^ucredit[[:space:]]*=[[:space:]]*[-]?[[igit:]]+
/etc/security/pwquality.conf; then
        sed -i "s/^\(ucredit *= *\).*/\1$var_password_pam_ucredit/"
/etc/security/pwquality.conf
else
        sed -i "/\(ucredit *= *\).*/a ucredit = $var_password_pam_ucredit"
/etc/security/pwquality.conf
fi

Following is what the above will do.

1. The desired setting of ucredit is -1
2. pwquality is checked to see if it contains an explicit setting for ucredit
3. If it does, the existing definition is completely replaced by the new
definition
4. If it does not, a new definition is added to the file

The problem is step 4. The actual logic above is "find a line mentioning
ucredit (with the expectation it is a comment), and then add the definition
immediately following that line."

Red Hat ships a default /etc/security/pwquality.conf that contains a boatload
of comments, including descriptions of all possible variables and their
default values. When run against this file, the remediation works as expected.
For example, the sequence of lines:

# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 1
#

is transformed into:

# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 1
ucredit = -1
#

The problem is that there is no requirement anywhere that pwquality.conf
contain any particular information. If for example, we completely replace
pwquality.conf with a new file containing only the single line:

minlen=12

Then the oscap remediation will fail. This occurs because there is no instance
of "ucredit" anywhere in the file, so step 4's sed pattern never matches and
the append command is never executed.

To address the situation, the remediation code should look like this:

var_password_pam_ucredit="-1"
if egrep -q ^ucredit[[:space:]]*=[[:space:]]*[-]?[[igit:]]+
/etc/security/pwquality.conf; then
        sed -i "s/^\(ucredit *= *\).*/\1$var_password_pam_ucredit/"
/etc/security/pwquality.conf
elif egrep -q ucredit[[:space:]]*=[[:space:]] /etc/security/pwquality.conf;
then
        sed -i "/\(ucredit *= *\).*/a ucredit = $var_password_pam_ucredit"
/etc/security/pwquality.conf
else
        echo "ucredit = $var_password_pam_ucredit" >>
/etc/security/pwquality.conf
fi

Here, the append is attempt is guarded by a check to ensure the target pattern
actually appears in the file. If it does not, the required directive is
appended to the file.
Comment 2 Jan Lieskovsky 2016-03-17 15:50:01 UTC 
Reported upstream as:
  https://github.com/OpenSCAP/scap-security-guide/issues/1085
Comment 3 Jan Lieskovsky 2016-04-19 17:37:05 UTC 
Specific upstream change correcting the problem:
  https://github.com/OpenSCAP/scap-security-guide/pull/1219
Comment 8 Marek Haicman 2016-07-07 14:54:01 UTC 
Confirmed fix in version scap-security-guide-0.1.30-1.el7

Old version scap-security-guide-0.1.25-3.el7 threw error when tried to remediate empty file, fixed version works.

Common scenario [value is already present] passed as well.
Comment 10 errata-xmlrpc 2016-11-04 07:33:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2483.html
Note You need to log in before you can comment on or make changes to this bug.