Bug 1403905 - OpenSCAP false positives citing nonexistent removable media
Summary: OpenSCAP false positives citing nonexistent removable media
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: 7.4
Assignee: Jan Černý
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2016-12-12 15:35 UTC by Rick Dixon
Modified: 2020-09-10 10:02 UTC (History)
13 users (show)

Fixed In Version: scap-security-guide-0.1.33-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 12:23:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2064 0 normal SHIPPED_LIVE scap-security-guide bug fix and enhancement update 2017-08-01 16:05:50 UTC

Comment 7 Šimon Lukašík 2016-12-15 15:34:19 UTC 
Rick, please provide public summary for fedora bugs. Thanks!
Comment 8 Rick Dixon 2016-12-15 15:39:31 UTC 
Description of problem:

We are failing the tests

Add noexec Option to Removable Media Partitions 
Add nosuid Option to Removable Media Partitions 
Add nodev Option to Removable Media Partitions 

However, we don't have mount points for removable media with any of the above options.


Version-Release number of selected component (if applicable):

openscap-1.2.9-5.el7_2.x86_64
openscap-engine-sce-1.2.9-5.el7_2.x86_64 
openscap-scanner-1.2.9-5.el7_2.x86_64 
rubygem-foreman_scap_client-0.1.2-1.el7sat.noarch


How reproducible:

Always, in customer environment.


Actual results:

Add noexec Option to Removable Media Partitions 
Add nosuid Option to Removable Media Partitions 
Add nodev Option to Removable Media Partitions 


Expected results:

As no removable media has been mounted, this result should not occur.

Additional info:

sosreport attached in private comment.
Comment 9 Martin Preisler 2016-12-15 19:42:59 UTC 
I think this is most probably an issue in SCAP Security Guide.
Comment 10 Jan Černý 2017-03-27 13:14:55 UTC 
My opinion is that this is a bug in OVAL definitions in SCAP Security Guide. The OVAL definition for rules mentioned above assumes that if a machine has a CD drive, the CD drive is configured for automatic mounting in /etc/fstab.

Firstly, it checks if a file "/dev/cdrom" exists, and if yes, it requires a line in both /etc/fstab and /etc/mtab saying that "/dev/cdrom" is configured with noexec, nosuid, nodev options. That's wrong approach, because there doesn't have to be any entry about "/dev/cdrom" at all. From what I understand, that is the situation that you are facing. 

I think that the fix would be to improve the definitions in SCAP security guide in a way that it will accept also a system where a CD drive exists but isn't configured to automount. I will investigate how to implement the fix.
Comment 11 Martin Preisler 2017-03-30 07:15:35 UTC 
A fix for this bz has been merged upstream: https://github.com/OpenSCAP/scap-security-guide/pull/1776

This didn't make it to the SCAP Security Guide 0.1.32 release.
Comment 12 Jan Černý 2017-03-30 08:35:07 UTC 
The fix in https://github.com/OpenSCAP/scap-security-guide/pull/1776 fixes the false positives reported on CD drives. However there might be other kinds of removable media that are not covered by the patch. We might need to investigate if there is a way how to handle all the kinds of removable media.
Comment 16 Marek Haicman 2017-06-22 23:32:32 UTC 
Verified for version scap-security-guide-0.1.33-5.el7.noarch
Verification performed using SSG Test Suite

OLD:
scap-security-guide-0.1.30-3.el7.noarch
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - All snapshots reverted successfully


NEW:
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
INFO - Script no_partitions.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S
INFO - All snapshots reverted successfully
Comment 17 errata-xmlrpc 2017-08-01 12:23:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064
Note You need to log in before you can comment on or make changes to this bug.