Bug 1490792 - OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails the check if secure 'sandbox' option is used on a RHEL7 system.
Summary: OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: pre-dev-freeze
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-12 09:05 UTC by Jayant Bhatia
Modified: 2020-12-14 09:59 UTC (History)
5 users (show)

Fixed In Version: scap-security-guide-0.1.35-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:21:26 UTC
Target Upstream Version:


Attachments (Terms of Use)
Error Message (22.24 KB, image/png)
2017-09-12 09:05 UTC, Jayant Bhatia
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0761 0 None None None 2018-04-10 12:21:55 UTC

Description Jayant Bhatia 2017-09-12 09:05:35 UTC
Created attachment 1324772 [details]
Error Message

Description of problem:

As per below 'sshd_config' man page, 'sandbox' can be used as a secure option under 'UsePrivilegeSeparation' in '/etc/ssh/sshd_config' file:

UsePrivilegeSeparation
 Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic.  After successful authentication, another process will be created that has the privilege
 of the authenticated user.  The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes.  The default is “yes”.  If UsePrivilegeSeparation is set
 to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions.

When the 'UsePrivilegeSeparation' is set as 'sandbox', the openscap rule incorrectly fails with below error message.

" Enable Use of Privilege Separation

Description: When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation yes

Rationale: SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.

References: AC-6, 366, SRG-OS-000480-GPOS-00227, RHEL-07-040460, 3.1.12 "

How reproducible:


Steps to Reproduce:

1) Create a OpenScap compliance policy with 'SCAP content' as 'Red Hat rhel7 default content' and 'XCCDF Profile' as 'DISA STIG for Red Hat Enterprise Linux 7'.

2) Assign this policy to a RHEL-7 client host in which 'UsePrivilegeSeparation' is set as sandbox under '/etc/ssh/sshd_config' file.

3) Generate the OpenScap report for the RHEL-7 client.


Actual results:

The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails this check.

Expected results:

The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' should not fail this check.

Comment 1 Marek Hulan 2017-09-12 11:58:49 UTC
Could you please check whether you get the same result when you run oscap scanner with the same profile directly? This seems more like an issue of scap security guide, if that's the case, please move the BZ to the the SCAP project.

Comment 2 Jayant Bhatia 2017-09-15 01:50:00 UTC
The same results are being observed while directly running the oscap scanner.

Comment 4 Martin Preisler 2017-09-20 18:45:06 UTC
Thanks for reporting this issue!

Upstream patch has been merged: https://github.com/OpenSCAP/scap-security-guide/pull/2162

Comment 6 Marek Haicman 2018-01-22 22:17:47 UTC
Verified that fix is present in scap-security-guide-0.1.36-7.el7.noarch using SSG Test Suite.

OLD (scap-security-guide-0.1.33-6.el7.noarch):
[dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.33-6-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation
[sudo] password for dahaic: 
Setting console output to log level INFO
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2250/test_suite.log
libvirt: QEMU Driver error : Guest agent is not responding: QEMU guest agent is not connected
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
ERROR - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'.
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
ERROR - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue:
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'.
INFO - All snapshots reverted successfully



NEW (scap-security-guide-0.1.36-7.el7.noarch):
[dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.36-7-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation
[sudo] password for dahaic: 
Setting console output to log level INFO
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2256/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - All snapshots reverted successfully


Pull Request with updated test coverage: https://github.com/OpenSCAP/scap-security-guide/pull/2565

Comment 9 errata-xmlrpc 2018-04-10 12:21:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0761


Note You need to log in before you can comment on or make changes to this bug.