Bug 1465686 - multiple ssg rules missing / failing remediations
Summary: multiple ssg rules missing / failing remediations
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-27 23:53 UTC by Marek Haicman
Modified: 2019-09-12 13:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marek Haicman 2017-06-27 23:53:22 UTC
Description of problem:
Multiple rules shipped in SSG have either missing remediations, or remediations that fails when applied on freshly installed system. These rules are (to help with development, it's grouped by example of profile where these are enabled):

(STIG profile)
xccdf_org.ssgproject.content_rule_ntp_set_maxpoll (missing)
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing)
xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing)
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing)
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing)

(PCI-DSS profile)
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing)

(OSPP profile)
xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)
xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing)
xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing)
xccdf_org.ssgproject.content_rule_aide_scan_notification (failing)

(C2S profile)
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing)
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing)
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing)


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.33-5.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. install fresh RHEL7.4 machine
2. perform profile based remediations for aforementioned profiles



Actual results:
2. rules listed  in description are still failing after remediation

Expected results:
2. rules listed in description are passing after remediation

Additional info:

Comment 1 Martin Preisler 2017-08-01 18:04:52 UTC
Upstream patch related to this: https://github.com/OpenSCAP/scap-security-guide/pull/2171
Please note that this patch is not fixing everything in this BZ.

Comment 2 Watson Yuuma Sato 2017-11-16 14:04:46 UTC
Some more fixes:

For Rule xccdf_org.ssgproject.content_rule_ntp_set_maxpoll, which I believe actually is xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll:
https://github.com/OpenSCAP/scap-security-guide/pull/2429
https://github.com/OpenSCAP/scap-security-guide/pull/2432

For Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing):
https://github.com/OpenSCAP/scap-security-guide/pull/2176

Comment 3 Watson Yuuma Sato 2018-07-18 13:12:53 UTC
These rules were fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1570802

(STIG profile)
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing)

(PCI-DSS profile)
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing)

(OSPP profile)
xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing)
xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing)
xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing)

xccdf_org.ssgproject.content_rule_aide_scan_notification (failing) was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1540505


Rules for which I did not patches, so I assume they still are failing or missing fixes:

(C2S profile)
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing)
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing)
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing)

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing)
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing)

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)

Comment 4 Watson Yuuma Sato 2018-11-26 16:01:48 UTC
In RHEL7.6,

the following rules is still failing:
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (fail)

This rule returns error:
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (error)
"The mount point '/dev/shm' is not even in /etc/fstab, so we can't set up mount options
Not remediating, because there is no record of /dev/shm in /etc/fstab"

The following rules are passing:
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode

xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route

This rule was removed:
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions 

And this rules started to fail/error:

C2S profile
xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries (fail)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error)
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (error)
xccdf_org.ssgproject.content_rule_audit_rules_login_events (error)

OSPP profile
xccdf_org.ssgproject.content_rule_package_dracut-fips_installed (fail)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (error)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (error)
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (error)

Comment 6 Watson Yuuma Sato 2019-05-07 11:59:21 UTC
Changes to RHEL 7.7

This rule reports error, but then passes, in subsequent scan:
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error)

Following rule are passing now:
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fixed in C2S profile) 
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (fixed)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (fixed)
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (fixed)


xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fails in OSPP profile, due to installation of screen package)
(audit_rules_privileged_commands is remedied, screen is installed, and becuase screen is a privileged command, final result of rule audit_rules_privileged_commands is fail)

Other rules not mentioned here are still failing.


Note You need to log in before you can comment on or make changes to this bug.