1490792 – OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails the check if secure 'sandbox' option is used on a RHEL7 system.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1490792 - OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails the check if secure 'sandbox' option is used on a RHEL7 system.

Summary: OpenScap Rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' in...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	pre-dev-freeze
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	Marek Haicman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-12 09:05 UTC by Jayant Bhatia
Modified:	2020-12-14 09:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:	scap-security-guide-0.1.35-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:21:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Error Message (22.24 KB, image/png) 2017-09-12 09:05 UTC, Jayant Bhatia	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0761	0	None	None	None	2018-04-10 12:21:55 UTC

Description Jayant Bhatia 2017-09-12 09:05:35 UTC

Created attachment 1324772 [details]
Error Message

Description of problem:

As per below 'sshd_config' man page, 'sandbox' can be used as a secure option under 'UsePrivilegeSeparation' in '/etc/ssh/sshd_config' file:

UsePrivilegeSeparation
 Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic.  After successful authentication, another process will be created that has the privilege
 of the authenticated user.  The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes.  The default is “yes”.  If UsePrivilegeSeparation is set
 to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions.

When the 'UsePrivilegeSeparation' is set as 'sandbox', the openscap rule incorrectly fails with below error message.

" Enable Use of Privilege Separation

Description: When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation yes

Rationale: SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.

References: AC-6, 366, SRG-OS-000480-GPOS-00227, RHEL-07-040460, 3.1.12 "

How reproducible:


Steps to Reproduce:

1) Create a OpenScap compliance policy with 'SCAP content' as 'Red Hat rhel7 default content' and 'XCCDF Profile' as 'DISA STIG for Red Hat Enterprise Linux 7'.

2) Assign this policy to a RHEL-7 client host in which 'UsePrivilegeSeparation' is set as sandbox under '/etc/ssh/sshd_config' file.

3) Generate the OpenScap report for the RHEL-7 client.


Actual results:

The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' incorrectly fails this check.

Expected results:

The OpenScap rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' should not fail this check.

Comment 1 Marek Hulan 2017-09-12 11:58:49 UTC

Could you please check whether you get the same result when you run oscap scanner with the same profile directly? This seems more like an issue of scap security guide, if that's the case, please move the BZ to the the SCAP project.

Comment 2 Jayant Bhatia 2017-09-15 01:50:00 UTC

The same results are being observed while directly running the oscap scanner.

Comment 4 Martin Preisler 2017-09-20 18:45:06 UTC

Thanks for reporting this issue!

Upstream patch has been merged: https://github.com/OpenSCAP/scap-security-guide/pull/2162

Comment 6 Marek Haicman 2018-01-22 22:17:47 UTC

Verified that fix is present in scap-security-guide-0.1.36-7.el7.noarch using SSG Test Suite.

OLD (scap-security-guide-0.1.33-6.el7.noarch):
[dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.33-6-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation
[sudo] password for dahaic: 
Setting console output to log level INFO
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2250/test_suite.log
libvirt: QEMU Driver error : Guest agent is not responding: QEMU guest agent is not connected
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
ERROR - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'.
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
ERROR - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 found issue:
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'.
INFO - All snapshots reverted successfully



NEW (scap-security-guide-0.1.36-7.el7.noarch):
[dahaic@machine]$ sudo ./test_suite.py rule --hypervisor 'qemu:///system' --domain ssg-test-suite --datastream ./ssg-0.1.36-7-ds.xml --benchmark xccdf_org.ssgproject.content_benchmark_RHEL-7 rule_sshd_use_priv_separation
[sudo] password for dahaic: 
Setting console output to log level INFO
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-01-22-2256/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_no.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - Script wrong_value_yes.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 OK
INFO - All snapshots reverted successfully


Pull Request with updated test coverage: https://github.com/OpenSCAP/scap-security-guide/pull/2565

Comment 9 errata-xmlrpc 2018-04-10 12:21:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0761

Note You need to log in before you can comment on or make changes to this bug.