1556988 – rpminfo, rpmverify and rpmverifyfile probes do not fully support offline mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1556988 - rpminfo, rpmverify and rpmverifyfile probes do not fully support offline mode

Summary: rpminfo, rpmverify and rpmverifyfile probes do not fully support offline mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openscap
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Preisler
QA Contact:	Matus Marhefka
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1569150
TreeView+	depends on / blocked

Reported:	2018-03-15 17:00 UTC by Matus Marhefka
Modified:	2018-10-30 11:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	OpenSCAP RPM verification rules no longer work incorrectly with VM and container file systems Previously, the `rpminfo`, `rpmverify`, and `rpmverifyfile` probes did not fully support offline mode. As a consequence, OpenSCAP RPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives.
Clone Of:
Clones:	1569150 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:44:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch to use chroot for rpm probes (1.91 KB, application/mbox) 2018-04-18 16:06 UTC, Martin Preisler	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3302	0	None	None	None	2018-10-30 11:44:59 UTC

Description Matus Marhefka 2018-03-15 17:00:08 UTC

Description of problem:
First remediate the rhel7 base image:
# atomic scan --remediate --scan_type configuration_compliance --scanner_args profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa registry.access.stage.redhat.com/rhel7:latest

[...]
Successfully built remediated image 08ec9b3c2929 from 738c5a2d67834010f86019fe17d6c8d0ff20e4f9aef4d141c09eaeaebecc9e90.

Now scan the remediated image using atomic scan and oscap-docker and check the result of the "Verify and Correct File Permissions with RPM" rule:
# atomic scan --scan_type configuration_compliance --scanner_args profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa 08ec9b3c2929 &>atomic.log
# grep "Verify and Correct File Permissions with RPM" atomic.log -A2
     Verify and Correct File Permissions with RPM
     Severity: Important
       XCCDF result: fail
# oscap-docker image 08ec9b3c2929 xccdf eval --rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa ssg-rhel7-ds.xml
(NOTE: ssg-rhel7-ds.xml is a datastream file from the openscap-docker image and is from scap-security-guide-0.1.36-7.el7.noarch)
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-27209-6
Result  pass

The results are the same when also scanning original (non-remediated) image. In case of oscap-docker (so oscap-chroot) it looks like the probe itself is looking on the host FS instead of the image one:
# chmod 0777 /
# oscap-docker image 08ec9b3c2929 xccdf eval --rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa ssg-rhel7-ds.xml
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-27209-6
Result  fail


Version-Release number of selected component (if applicable):
openscap-docker-7.5.0-3
openscap-1.2.16-6.el7
scap-security-guide-0.1.36-7.el7


How reproducible:
always

Comment 4 Matus Marhefka 2018-03-23 10:07:20 UTC

The original description is only a consequence of the issue.

Each of the probes rpminfo, rpmverify and rpmverifyfile use their own chroot mode and utilize the rpm file iterator library. When a probe does initialization it calls rpmfiNew() function which should set chroot directory for file iterations. Unfortunately this is not supported in the rpm file iterator library itself. This means that all the file iterations are performed on the host system instead of the chroot-ed directory.

The consequence is that scanning in offline mode does not work for all the rules which utilize these probes for checking RPM package files in chroot-ed directories. Therefore, all the "RPM.*verify" rules are not working correctly when scanning VM or container filesystems and report incorrect results.


Version-Release number of selected component (if applicable):
openscap-docker-7.5.0-3
openscap-1.2.16-6.el7

Comment 5 Matus Marhefka 2018-03-23 12:47:23 UTC

Confirmed rules which are affected by this:

* Verify and Correct File Permissions with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_permissions)
* Verify and Correct Ownership with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_ownership)
* Verify File Hashes with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_hashes)

Comment 8 Matus Marhefka 2018-04-10 09:26:24 UTC

We need to revert the following commit:
https://github.com/OpenSCAP/openscap/commit/f540c055e9bda6b6168746df2017ee7e2b871323

Comment 9 Martin Preisler 2018-04-18 15:45:47 UTC

Upstream fix posted: https://github.com/OpenSCAP/openscap/pull/1002

Because the fix is extensive for the purposes of the zstream fix we will revert back to using chroot for textfilecontent probe. Therefore only the first commit of the posted upstream fix will be used.

Comment 10 Martin Preisler 2018-04-18 15:53:42 UTC

(In reply to Martin Preisler from comment #9)
> Upstream fix posted: https://github.com/OpenSCAP/openscap/pull/1002
> 
> Because the fix is extensive for the purposes of the zstream fix we will
> revert back to using chroot for textfilecontent probe. Therefore only the
> first commit of the posted upstream fix will be used.

I got confused and this is a related fix but not a fix to this BZ. This BZ still needs an upstream fix posted.

Comment 11 Martin Preisler 2018-04-18 16:06:30 UTC

Created attachment 1423654 [details]
patch to use chroot for rpm probes

Comment 12 Martin Preisler 2018-04-18 16:14:37 UTC

Since the upstream code is a bit different I have created a slightly different patch for upstream to make sure this is fixed in future upstream versions of the project. See https://github.com/OpenSCAP/openscap/pull/1013

Comment 19 errata-xmlrpc 2018-10-30 11:44:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3302

Note You need to log in before you can comment on or make changes to this bug.