1404381 – remediation script for rule_rsyslog_files_permissions breaks rpm -V systemd

Bug 1404381 - remediation script for rule_rsyslog_files_permissions breaks rpm -V systemd

Summary: remediation script for rule_rsyslog_files_permissions breaks rpm -V systemd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Raphael Sanchez Prudencio
QA Contact:	Matus Marhefka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 17:14 UTC by Marek Haicman
Modified:	2017-08-01 12:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:	scap-security-guide-0.1.32-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:24:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1403347	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Product Errata	RHBA-2017:2064	0	normal	SHIPPED_LIVE	scap-security-guide bug fix and enhancement update	2017-08-01 16:05:50 UTC

Internal Links: 1403347

Description Marek Haicman 2016-12-13 17:14:11 UTC

Description of problem:
Remediation rule for rule_rsyslog_files_permissions alters /etc/rc.local. On RHEL7, this file is there for legacy reasons, provided by systemd, and is not configured to be altered, so any update is manifested in rpm -V systemd failing. 

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. run remediation script of rule_rsyslog_files_permissions rule
2. rpm -Va


Actual results:
Failure as /etc/rc.local is altered.

Expected results:
Success - only files which are allowed to be changed are changed.

Additional info:

Comment 2 Marek Haicman 2017-03-09 15:50:51 UTC

Description has few typos/maybe is not clear enough, so short [hopefully correct :)] description of the problem [original in "See Also" ticket is ok]:

Remediation of rule_rsyslog_files_permissions updates file /etc/rc.d/rc.local and changes also changes file permissions. Because of this change, rule rpm_verify_permissions starts failing.

Comment 3 Raphael Sanchez Prudencio 2017-03-14 09:58:51 UTC

Proposed PR at https://github.com/OpenSCAP/scap-security-guide/pull/1756

Comment 5 Marek Haicman 2017-04-24 17:53:29 UTC

If I am not mistaken, PR linked in this bug actually introduced regression. /var/log/boot.log needs special handling in RHEL7, as it retains 644 after reboot, the same way it does on RHEL6. Only the workaround [using rc.local file] is not available on RHEL7.

Moving back to assigned.

Comment 7 Raphael Sanchez Prudencio 2017-05-10 09:14:43 UTC

Looks like Plymouth was changed in 7.4 so it won't truncate/touch /var/log/boot.log anymore, maybe this helps us getting rid of the workaround that was removed as accident.

Comment 8 Raphael Sanchez Prudencio 2017-05-15 13:28:56 UTC

Ray Strode fixed the issue on plymouth-0.8.9-0.28.20140113.el7.x86_64, it was enforcing mode 0644. 

The remediation should be enough now and work properly.

Comment 10 Matus Marhefka 2017-06-20 13:57:57 UTC

VERIFIED manually for scap-security-guide-0.1.33-5.el7.noarch


OLD: scap-security-guide-0.1.30-3.el7.noarch
1. Evaluate rule_rpm_verify_permissions - PASS
2. Remediate failing rule_rsyslog_files_permissions - FIXED
3. Evaluate the rule_rpm_verify_permissions once again - FAILS


NEW: scap-security-guide-0.1.33-5.el7.noarch
1. Evaluate rule_rpm_verify_permissions - PASS
2. Remediate failing rule_rsyslog_files_permissions - FIXED
3. Evaluate the rule_rpm_verify_permissions once again - PASS

Comment 11 errata-xmlrpc 2017-08-01 12:24:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064

Note You need to log in before you can comment on or make changes to this bug.