Hide Forgot
Description of problem: Multiple rules shipped in SSG have either missing remediations, or remediations that fails when applied on freshly installed system. These rules are (to help with development, it's grouped by example of profile where these are enabled): (STIG profile) xccdf_org.ssgproject.content_rule_ntp_set_maxpoll (missing) xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing) xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing) xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing) xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing) (PCI-DSS profile) xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing) (OSPP profile) xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing) xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing) xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing) xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing) xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing) xccdf_org.ssgproject.content_rule_aide_scan_notification (failing) (C2S profile) xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing) xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing) xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing) Version-Release number of selected component (if applicable): scap-security-guide-0.1.33-5.el7.noarch How reproducible: reliably Steps to Reproduce: 1. install fresh RHEL7.4 machine 2. perform profile based remediations for aforementioned profiles Actual results: 2. rules listed in description are still failing after remediation Expected results: 2. rules listed in description are passing after remediation Additional info:
Upstream patch related to this: https://github.com/OpenSCAP/scap-security-guide/pull/2171 Please note that this patch is not fixing everything in this BZ.
Some more fixes: For Rule xccdf_org.ssgproject.content_rule_ntp_set_maxpoll, which I believe actually is xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll: https://github.com/OpenSCAP/scap-security-guide/pull/2429 https://github.com/OpenSCAP/scap-security-guide/pull/2432 For Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing): https://github.com/OpenSCAP/scap-security-guide/pull/2176
These rules were fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1570802 (STIG profile) xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing) (PCI-DSS profile) xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing) (OSPP profile) xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing) xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing) xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing) xccdf_org.ssgproject.content_rule_aide_scan_notification (failing) was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1540505 Rules for which I did not patches, so I assume they still are failing or missing fixes: (C2S profile) xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing) xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing) xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing) xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing) xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing) xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing) xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)
In RHEL7.6, the following rules is still failing: xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (fail) This rule returns error: xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (error) "The mount point '/dev/shm' is not even in /etc/fstab, so we can't set up mount options Not remediating, because there is no record of /dev/shm in /etc/fstab" The following rules are passing: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route This rule was removed: xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions And this rules started to fail/error: C2S profile xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries (fail) xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error) xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (error) xccdf_org.ssgproject.content_rule_audit_rules_login_events (error) OSPP profile xccdf_org.ssgproject.content_rule_package_dracut-fips_installed (fail) xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (error) xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (error) xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (error)
Changes to RHEL 7.7 This rule reports error, but then passes, in subsequent scan: xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 (error) Following rule are passing now: xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fixed in C2S profile) xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading (fixed) xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key (fixed) xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key (fixed) xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands (fails in OSPP profile, due to installation of screen package) (audit_rules_privileged_commands is remedied, screen is installed, and becuase screen is a privileged command, final result of rule audit_rules_privileged_commands is fail) Other rules not mentioned here are still failing.