1403905 – OpenSCAP false positives citing nonexistent removable media

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1403905 - OpenSCAP false positives citing nonexistent removable media

Summary: OpenSCAP false positives citing nonexistent removable media

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	7.4
Assignee:	Jan Černý
QA Contact:	Marek Haicman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1420851
TreeView+	depends on / blocked

Reported:	2016-12-12 15:35 UTC by Rick Dixon
Modified:	2020-09-10 10:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:	scap-security-guide-0.1.33-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:23:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2064	0	normal	SHIPPED_LIVE	scap-security-guide bug fix and enhancement update	2017-08-01 16:05:50 UTC

Comment 7 Šimon Lukašík 2016-12-15 15:34:19 UTC

Rick, please provide public summary for fedora bugs. Thanks!

Comment 8 Rick Dixon 2016-12-15 15:39:31 UTC

Description of problem:

We are failing the tests

Add noexec Option to Removable Media Partitions 
Add nosuid Option to Removable Media Partitions 
Add nodev Option to Removable Media Partitions 

However, we don't have mount points for removable media with any of the above options.


Version-Release number of selected component (if applicable):

openscap-1.2.9-5.el7_2.x86_64
openscap-engine-sce-1.2.9-5.el7_2.x86_64 
openscap-scanner-1.2.9-5.el7_2.x86_64 
rubygem-foreman_scap_client-0.1.2-1.el7sat.noarch


How reproducible:

Always, in customer environment.


Actual results:

Add noexec Option to Removable Media Partitions 
Add nosuid Option to Removable Media Partitions 
Add nodev Option to Removable Media Partitions 


Expected results:

As no removable media has been mounted, this result should not occur.

Additional info:

sosreport attached in private comment.

Comment 9 Martin Preisler 2016-12-15 19:42:59 UTC

I think this is most probably an issue in SCAP Security Guide.

Comment 10 Jan Černý 2017-03-27 13:14:55 UTC

My opinion is that this is a bug in OVAL definitions in SCAP Security Guide. The OVAL definition for rules mentioned above assumes that if a machine has a CD drive, the CD drive is configured for automatic mounting in /etc/fstab.

Firstly, it checks if a file "/dev/cdrom" exists, and if yes, it requires a line in both /etc/fstab and /etc/mtab saying that "/dev/cdrom" is configured with noexec, nosuid, nodev options. That's wrong approach, because there doesn't have to be any entry about "/dev/cdrom" at all. From what I understand, that is the situation that you are facing. 

I think that the fix would be to improve the definitions in SCAP security guide in a way that it will accept also a system where a CD drive exists but isn't configured to automount. I will investigate how to implement the fix.

Comment 11 Martin Preisler 2017-03-30 07:15:35 UTC

A fix for this bz has been merged upstream: https://github.com/OpenSCAP/scap-security-guide/pull/1776

This didn't make it to the SCAP Security Guide 0.1.32 release.

Comment 12 Jan Černý 2017-03-30 08:35:07 UTC

The fix in https://github.com/OpenSCAP/scap-security-guide/pull/1776 fixes the false positives reported on CD drives. However there might be other kinds of removable media that are not covered by the patch. We might need to investigate if there is a way how to handle all the kinds of removable media.

Comment 16 Marek Haicman 2017-06-22 23:32:32 UTC

Verified for version scap-security-guide-0.1.33-5.el7.noarch
Verification performed using SSG Test Suite

OLD:
scap-security-guide-0.1.30-3.el7.noarch
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - All snapshots reverted successfully


NEW:
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - All snapshots reverted successfully

Comment 17 errata-xmlrpc 2017-08-01 12:23:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064

Note You need to log in before you can comment on or make changes to this bug.