Bug 1570802 - Some rules in PCI-DSS, DISA STIG and USGCB Profile fail to remediate
Summary: Some rules in PCI-DSS, DISA STIG and USGCB Profile fail to remediate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks: 1571312
TreeView+ depends on / blocked
 
Reported: 2018-04-23 12:22 UTC by Watson Yuuma Sato
Modified: 2018-10-30 11:47 UTC (History)
4 users (show)

Fixed In Version: scap-security-guide-0.1.39-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1571312 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:46:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3308 None None None 2018-10-30 11:47:23 UTC

Description Watson Yuuma Sato 2018-04-23 12:22:20 UTC
Description of problem:
Following rules fail to remediate in a fresh RHEL 7.5 install.

- xccdf_org.ssgproject.content_rule_partition_for_tmp
- xccdf_org.ssgproject.content_rule_partition_for_var
- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
- xccdf_org.ssgproject.content_rule_partition_for_home
- xccdf_org.ssgproject.content_rule_aide_scan_notification
- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
- xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable
- xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc
- xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions
- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
- xccdf_org.ssgproject.content_rule_audit_rules_login_events
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
- xccdf_org.ssgproject.content_rule_service_kdump_disabled
- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
- xccdf_org.ssgproject.content_rule_ldap_client_start_tls
- xccdf_org.ssgproject.content_rule_ensure_logrotate_activated

Version-Release number of selected component (if applicable):
SSG in RHEL 7.5 is 0.1.36-7

How reproducible:
always

Steps to Reproduce:
1. Install RHEL 7.5 
2. Scan and remediate system using PCI-DSS, DISA STIG or USGCB profile.
3. 

Actual results:
Rules listed above fail to remediate.

Expected results:
Rules listed can remediated system.

Additional info:

Comment 2 Watson Yuuma Sato 2018-04-23 12:37:19 UTC
Fixes for the rules

- https://github.com/OpenSCAP/scap-security-guide/pull/2679 
  - xccdf_org.ssgproject.content_rule_partition_for_tmp
  - xccdf_org.ssgproject.content_rule_partition_for_var
  - xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
  - xccdf_org.ssgproject.content_rule_partition_for_home

- https://github.com/OpenSCAP/scap-security-guide/pull/2696
  - xccdf_org.ssgproject.content_rule_mount_option_home_nosuid

- https://github.com/OpenSCAP/scap-security-guide/pull/2673
  - xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable

- https://github.com/OpenSCAP/scap-security-guide/pull/2671
  - xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc
  - xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions

- https://github.com/OpenSCAP/scap-security-guide/pull/2554 and
- https://github.com/OpenSCAP/scap-security-guide/pull/2667 
  - xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action

- https://github.com/OpenSCAP/scap-security-guide/pull/2607
  - xccdf_org.ssgproject.content_rule_audit_rules_login_events

- https://github.com/OpenSCAP/scap-security-guide/pull/2667
  - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands

- https://github.com/OpenSCAP/scap-security-guide/pull/2532
  - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
  - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete

- https://github.com/OpenSCAP/scap-security-guide/pull/2698
  - xccdf_org.ssgproject.content_rule_service_kdump_disabled

- https://github.com/OpenSCAP/scap-security-guide/pull/2688
  - xccdf_org.ssgproject.content_rule_sssd_enable_pam_services

- https://github.com/OpenSCAP/scap-security-guide/pull/2685
  - xccdf_org.ssgproject.content_rule_ldap_client_start_tls

- https://github.com/OpenSCAP/scap-security-guide/pull/2664
  - xccdf_org.ssgproject.content_rule_ensure_logrotate_activated

Rule xccdf_org.ssgproject.content_rule_aide_scan_notification is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1540505
Rule xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1547694

Comment 4 Mark Thacker 2018-04-24 13:03:59 UTC
Agreed and approved

Comment 6 Watson Yuuma Sato 2018-04-26 14:45:23 UTC
For rule xccdf_org.ssgproject.content_rule_audit_rules_login_events, the PR is actually https://github.com/OpenSCAP/scap-security-guide/pull/2628.
And https://github.com/OpenSCAP/scap-security-guide/pull/2733 also needs to be considered.

Comment 8 Marek Haicman 2018-09-25 23:11:54 UTC
Verified for version scap-security-guide-0.1.40-12.el7.noarch

Out of the rules listed in description of the bug, there are two that are persisting:

*xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
  * problem stems from different OVAL and remediation approach. OVAL expects to have rule even for `sudoedit`, even though it is just a symlink to `sudo`. Remediation creates only `sudo` rule. This failure is safe.

* xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading

Rest of the listed rules are fixed. There are new rules without remediation or failing for newest 0.1.40-12. These will be tracked in separate bugzillas.

Comment 13 errata-xmlrpc 2018-10-30 11:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308


Note You need to log in before you can comment on or make changes to this bug.