Bug 1576874 - Satellite 6.3: Scap client scan for RHEL7 system installed with 'grub-efi' (System firmware UEFI) always shows results 'fails' for "/boot/grub2/grub.cfg"
Summary: Satellite 6.3: Scap client scan for RHEL7 system installed with 'grub-efi' (...
Keywords:
Status: CLOSED DUPLICATE of bug 1495308
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SCAP Plugin
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-10 15:30 UTC by vijsingh
Modified: 2019-08-12 14:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-22 12:26:35 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1569425 0 unspecified CLOSED False positive rule violation when bootloader password is set for C2S for Red Hat Enterprise Linux 7 profile 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Article) 3440311 0 None None None 2018-05-11 04:40:15 UTC

Internal Links: 1569425

Description vijsingh 2018-05-10 15:30:20 UTC
Description of problem:

Openscap client scan using "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)" profile policy for RHEL7 system 'grub-efi'(installed with firmware UEFI) shows results fails for "/boot/grub2/grub.cfg" (Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg).

Version-Release number of selected component (if applicable):

Satellite 6.3.1
openscap-1.2.14-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:

1. Install a RHEL7 system using firmware UEFI with 'grub2-efi':
   - Configure system as puppet agent.
   - Apply classes 'foreman_scap_client','foreman_scap_client::params' to preconfigure system ready as scap client.

2. On Satellite create policy as below:
  

   Hosts => Policy => 'New Compliance Policy' => Give Name i.e. "Test UEFI"(or any other name) => Now select 'SCAP Content = Red Hat rhel7 default content' and 'XCCDF Profile = Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' => Set 'schedule/Location/Organizations' as per system.


3. Assign the 'Test UEFI' to RHEL7 system:

   Hosts => Check mark on host RHEL7 host => Select action => 'Assign Compliance Policy' to 'Test UEFI'

4. On client system:

     # puppet agent -t        <== to apply the changes 
     # /usr/bin/foreman_scap_client < policy_id >              <== to scan system manually 

5. Check system RHEL7 report at below path:

  Hosts => Policy => "Test UEFI" => Check "Verify /boot/grub2/grub.cfg Permissions" result

Actual results:

 Status always shows as fail because scan check for '/boot/grub2/grub.cfg should be set to 600' however 'grub-efi'(UEFI) installed system does not contain the file at this path
  

Expected results:

If system is 'grub-efi'(UEFI) installed system either it should be skip(notapplicable) or check for '/boot/efi/EFI/redhat/grub.cfg' file.

Additional info:


Rule ID: 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'  check the same.

Comment 1 Ondřej Pražák 2018-05-15 06:30:28 UTC
This seems to me like what was reported in #1569425, so I will close as a duplicate. Feel free to reopen if I misunderstood.

*** This bug has been marked as a duplicate of bug 1569425 ***

Comment 5 Koen Diels 2018-05-18 10:36:32 UTC
It's not a duplicate, please reopen.

Comment 6 vijsingh 2018-05-18 10:39:45 UTC
Thank Koen, This Bug has reopened already and in 'Status:NEW' now.

Thanks

Comment 8 Watson Yuuma Sato 2018-05-18 12:04:54 UTC
This is very likely a problem in content, so moving component to scap-security-guide.

Can you provide which version of scap-security-guide is being used?
Is remediation performed? If yes, what is the result?

Comment 9 Watson Yuuma Sato 2018-05-18 12:11:52 UTC
As of scap-security-guide-0.1.36-7, both non-EFI and EFI locations of grub.cfg are checked.

Check of EFI location is done by extended definition in check "file_permissions_grub2_cfg".

But remediation of EFI location is very likely not performed correctly, as fix for it is in "file_permissions_efi_grub2_cfg.sh", and rule ID is "file_permissions_grub2_cfg".


A workaround is for CU to fix permission manually:
$ chmod 700 /boot/efi/EFI/redhat/grub.cfg

Can you try applying workaround and scanning again?

Thanks.

Comment 10 Koen Diels 2018-05-18 12:40:47 UTC
(In reply to Watson Yuuma Sato from comment #8)
> This is very likely a problem in content, so moving component to
> scap-security-guide.
> 
> Can you provide which version of scap-security-guide is being used?
> Is remediation performed? If yes, what is the result?

scap-security-guide-0.1.36-7.el7.noarch
Remediation of what?

Comment 11 Koen Diels 2018-05-18 12:42:52 UTC
(In reply to Watson Yuuma Sato from comment #9)
> As of scap-security-guide-0.1.36-7, both non-EFI and EFI locations of
> grub.cfg are checked.
> 
> Check of EFI location is done by extended definition in check
> "file_permissions_grub2_cfg".
> 
> But remediation of EFI location is very likely not performed correctly, as
> fix for it is in "file_permissions_efi_grub2_cfg.sh", and rule ID is
> "file_permissions_grub2_cfg".
> 
> 
> A workaround is for CU to fix permission manually:
> $ chmod 700 /boot/efi/EFI/redhat/grub.cfg
> 
> Can you try applying workaround and scanning again?
> 
> Thanks.

That shell script is nowhere to be found. Changing the chmod to 700 still makes the test fail. I don't know if you can find a needle in this pile of code but I can't find file_permissions_grub2_cfg either. Just a lot of .xml files that give the same text as you would see in the rapport, but no hint on what is tested and how.

Comment 12 Watson Yuuma Sato 2018-05-18 15:36:41 UTC
If changing permissions of "/boot/efi/EFI/redhat/grub.cfg" to 700 didn't work we will need more info.

Can you run the scan with option "--verbose DEVEL", and provide output?

Comment 14 Koen Diels 2018-05-18 15:52:33 UTC
Title   Verify /boot/grub2/grub.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Ident   CCE-27054-6
I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:7': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:7' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_a_machine:def:1': Check if the scan target is a machine. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:ssg-installed_env_is_a_machine:def:1' evaluated as true. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:ssg-file_permissions_grub2_cfg:def:1': File grub.cfg Permissions. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap:   Evaluating file test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1': Testing file permissions. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1054:oval_result_test_eval]
I: oscap:     Querying file object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1', flags: 0. [oscap(31664):oscap(7ffad609c840):oval_probe.c:246:oval_probe_query_object]
I: oscap:     Creating new syschar for file_object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1'. [oscap(31664):oscap(7ffad609c840):oval_probe.c:269:oval_probe_query_object]
D: oscap:     Sending message. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:493:oval_probe_comm]
D: oscap:     MSG -> SEXP [oscap(31664):oscap(7ffad609c840):seap-packet.c:261:SEAP_packet_msg2sexp]
D: oscap: ("seap.msg" ":id" 23 (("file_object" ":id" "oval:ssg-object_file_permissions_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/grub2/grub.cfg" ) ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:262:SEAP_packet_msg2sexp]
D: oscap:     packet size: 1003 [oscap(31664):oscap(7ffad609c840):seap-packet.c:263:SEAP_packet_msg2sexp]
D: oscap:     total I/O vectors = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:294:strbuf_write]
D: oscap:     iot (1) < IOV_MAX (1024) [oscap(31664):oscap(7ffad609c840):strbuf.c:305:strbuf_write]
D: oscap:     ioc = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:321:strbuf_write]
D: oscap:     total bytes written: 208 [oscap(31664):oscap(7ffad609c840):strbuf.c:338:strbuf_write]D: probe_file:
return from selectD: oscap:  [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:637:SEAP_packet_recv]
  Waiting for reply. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:552:oval_probe_comm]
D: probe_file: Received packet [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:902:SEAP_packet_recv]
D: probe_file: ("seap.msg" ":id" 23 (("file_object" ":id" "oval:ssg-object_file_permissions_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/grub2/grub.cfg" ) ) ) [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:903:SEAP_packet_recv]
D: probe_file: packet size: 886 [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:904:SEAP_packet_recv]
D: probe_file: offline_mode=00000000 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:116:probe_input_handler]
D: probe_file: offline_mode_supported=00000001 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:117:probe_input_handler]
D: probe_file: handling SEAP message ID 23 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:53:probe_worker_runfn]
I: probe_file: Opening file '/boot/grub2/grub.cfg'. [probe_file(31772):probe_worker(7f3d419ca700):oval_fts.c:825:oval_fts_open]
D: probe_file: NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:404:probe_icache_nop]
D: probe_file: Signaling `notempty' [probe_file(31772):probe_worker(7f3d419ca700):icache.c:429:probe_icache_nop]
D: probe_file: Waiting for icache worker to handle the NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:439:probe_icache_nop]
I: probe_file: Extracting item from the cache queue: cnt=2, beg=37 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling cache request [probe_file(31772):icache_worker(7f3d431cd700):icache.c:248:probe_icache_worker]
D: probe_file: pair address: 139901095693728 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:253:probe_icache_worker]
D: probe_file: item address: 139900842186208 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:254:probe_icache_worker]
D: probe_file: item ID=7347347703611728081 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:256:probe_icache_worker]
I: probe_file: cache HIT #1 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:99:icache_lookup]
I: probe_file: cache HIT #2 -> real HIT [probe_file(31772):icache_worker(7f3d431cd700):icache.c:134:icache_lookup]
I: probe_file: Extracting item from the cache queue: cnt=1, beg=38 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling NOP [probe_file(31772):icache_worker(7f3d431cd700):icache.c:239:probe_icache_worker]
D: probe_file: Sync [probe_file(31772):probe_worker(7f3d419ca700):icache.c:447:probe_icache_nop]
D: probe_file: old flag: 0, new flag: 2. [probe_file(31772):probe_worker(7f3d419ca700):probe-api.c:689:probe_cobj_set_flag]
D: probe_file: handler result = 0x7f3d3400a8f0, return code = 0 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:58:probe_worker_runfn]
D: probe_file: probe thread deleted [probe_file(31772):probe_worker(7f3d419ca700):worker.c:77:probe_worker_runfn]
D: probe_file: Sorting blocks & building iterator array [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_file: Iterator count = 1 [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_file: cnt = 0 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_file: no-reply not set: sending full reply [probe_file(31772):probe_worker(7f3d419ca700):seap.c:480:SEAP_reply]
D: probe_file: MSG -> SEXP [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_file: ("seap.msg" ":id" 23 ":reply-id" 23 (2 () ((("file_item" ":id" "1317725" ) ("filepath" "/boot/grub2/grub.cfg" ) ("path" "/boot/grub2" ) ("filename" "grub.cfg" ) ("type" "regular" ) ("group_id" 0 ) ("user_id" 0 ) ("a_time" 1526641188 ) ("c_time" 1523887666 ) ("m_time" 1523887666 ) ("size" 6511 ) ("suid" #F ) ("sgid" #F ) ("sticky" #F ) ("uread" #T ) ("uwrite" #T ) ("uexec" #F ) ("gread" #T ) ("gwrite" #F ) ("gexec" #F ) ("oread" #T ) ("owrite" #F ) ("oexec" #F ) ("has_extended_acl" #F ) ) ) () ) ) [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_file: packet size: 3595 [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_file: total I/O vectors = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:294:strbuf_write]
D: probe_file: iot (1) < IOV_MAX (1024) [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:305:strbuf_write]
D: probe_file: ioc = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:321:strbuf_write]
D: probe_file: total bytes written: 504 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:338:strbuf_write]
D: oscap: D: probe_file:   name=reply-id, value=0x7f3d34005d60   [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:76:SEAP_msg_free]return from select
 [oscap(31664):oscap(7ffad609c840):seap-packet.c:637:SEAP_packet_recv]
D: oscap:     Received packet [oscap(31664):oscap(7ffad609c840):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 23 ":reply-id" 23 (2 () ((("file_item" ":id" "1317725" ) ("filepath" "/boot/grub2/grub.cfg" ) ("path" "/boot/grub2" ) ("filename" "grub.cfg" ) ("type" "regular" ) ("group_id" 0 ) ("user_id" 0 ) ("a_time" 1526641188 ) ("c_time" 1523887666 ) ("m_time" 1523887666 ) ("size" 6511 ) ("suid" #F ) ("sgid" #F ) ("sticky" #F ) ("uread" #T ) ("uwrite" #T ) ("uexec" #F ) ("gread" #T ) ("gwrite" #F ) ("gexec" #F ) ("oread" #T ) ("owrite" #F ) ("oexec" #F ) ("has_extended_acl" #F ) ) ) () ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:903:SEAP_packet_recv]
D: oscap:     packet size: 3558 [oscap(31664):oscap(7ffad609c840):seap-packet.c:904:SEAP_packet_recv]
D: oscap:     Message received. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:586:oval_probe_comm]
D: oscap:     name=(null), value=0x55fe1ac9b990 [oscap(31664):oscap(7ffad609c840):seap-message.c:76:SEAP_msg_free]
I: oscap:     Test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' requires that every object defined by 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' exists on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap:     1 objects defined by 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' exist on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap:     All items matching object 'oval:ssg-object_file_permissions_grub2_cfg:obj:1' were collected. (flag=complete) [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:876:_oval_result_test_evaluate_items]
I: oscap:     In test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:640:eval_check_state]
I: oscap:     Entity 'uexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap:     Entity 'gwrite'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap:     Entity 'gexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap:     Entity 'owrite'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap:     Entity 'oexec'='false' of item '1317725' matches corresponding entity in state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1'. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:565:eval_item]
I: oscap:     Item '1317725' compared to state 'oval:ssg-state_file_permissions_grub2_cfg:ste:1' with result false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:597:eval_item]
I: oscap:   Test 'oval:ssg-test_file_permissions_grub2_cfg:tst:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap:   Evaluating file test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1': /boot/efi/EFI/redhat/grub.cfg owned by root. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1054:oval_result_test_eval]
I: oscap:     Querying file object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1', flags: 0. [oscap(31664):oscap(7ffad609c840):oval_probe.c:246:oval_probe_query_object]
I: oscap:     Creating new syschar for file_object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1'. [oscap(31664):oscap(7ffad609c840):oval_probe.c:269:oval_probe_query_object]
D: oscap:     Sending message. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:493:oval_probe_comm]
D: oscap:     MSG -> SEXP [oscap(31664):oscap(7ffad609c840):seap-packet.c:261:SEAP_packet_msg2sexp]
D: oscap: ("seap.msg" ":id" 24 (("file_object" ":id" "oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/efi/EFI/redhat/grub.cfg" ) ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:262:SEAP_packet_msg2sexp]
D: oscap:     packet size: 1016 [oscap(31664):oscap(7ffad609c840):seap-packet.c:263:SEAP_packet_msg2sexp]
D: oscap:     total I/O vectors = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:294:strbuf_write]
D: oscap:     iot (1) < IOV_MAX (1024) [oscap(31664):oscap(7ffad609c840):strbuf.c:305:strbuf_write]
D: oscap:     ioc = 1 [oscap(31664):oscap(7ffad609c840):strbuf.c:321:strbuf_write]
D: oscap:     total bytes written: 221 [oscap(31664):oscap(7ffad609c840):strbuf.c:338:strbuf_write]
D: oscap:     Waiting for reply.D: probe_file:  [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:552:oval_probe_comm]return from select
 [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:637:SEAP_packet_recv]
D: probe_file: Received packet [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:902:SEAP_packet_recv]
D: probe_file: ("seap.msg" ":id" 24 (("file_object" ":id" "oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/boot/efi/EFI/redhat/grub.cfg" ) ) ) [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:903:SEAP_packet_recv]
D: probe_file: packet size: 899 [probe_file(31772):input_handler(7f3d421cb700):seap-packet.c:904:SEAP_packet_recv]
D: probe_file: offline_mode=00000000 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:116:probe_input_handler]
D: probe_file: offline_mode_supported=00000001 [probe_file(31772):input_handler(7f3d421cb700):input_handler.c:117:probe_input_handler]
D: probe_file: handling SEAP message ID 24 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:53:probe_worker_runfn]
D: probe_file: lstat() failed: errno: 2, 'No such file or directory'. [probe_file(31772):probe_worker(7f3d419ca700):oval_fts.c:819:oval_fts_open]
D: probe_file: NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:404:probe_icache_nop]
D: probe_file: Signaling `notempty' [probe_file(31772):probe_worker(7f3d419ca700):icache.c:429:probe_icache_nop]
D: probe_file: Waiting for icache worker to handle the NOP [probe_file(31772):probe_worker(7f3d419ca700):icache.c:439:probe_icache_nop]
I: probe_file: Extracting item from the cache queue: cnt=1, beg=39 [probe_file(31772):icache_worker(7f3d431cd700):icache.c:198:probe_icache_worker]
D: probe_file: Signaling `notfull' [probe_file(31772):icache_worker(7f3d431cd700):icache.c:217:probe_icache_worker]
D: probe_file: Handling NOP [probe_file(31772):icache_worker(7f3d431cd700):icache.c:239:probe_icache_worker]
D: probe_file: Sync [probe_file(31772):probe_worker(7f3d419ca700):icache.c:447:probe_icache_nop]
D: probe_file: old flag: 0, new flag: 4. [probe_file(31772):probe_worker(7f3d419ca700):probe-api.c:689:probe_cobj_set_flag]
D: probe_file: handler result = 0x7f3d34007dd0, return code = 0 [probe_file(31772):probe_worker(7f3d419ca700):worker.c:58:probe_worker_runfn]
D: probe_file: probe thread deleted [probe_file(31772):probe_worker(7f3d419ca700):worker.c:77:probe_worker_runfn]
D: probe_file: Sorting blocks & building iterator array [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_file: Iterator count = 0 [probe_file(31772):probe_worker(7f3d419ca700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_file: cnt = 0 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_file: no-reply not set: sending full reply [probe_file(31772):probe_worker(7f3d419ca700):seap.c:480:SEAP_reply]
D: probe_file: MSG -> SEXP [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_file: ("seap.msg" ":id" 24 ":reply-id" 24 (4 () () () ) ) [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_file: packet size: 525 [probe_file(31772):probe_worker(7f3d419ca700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_file: total I/O vectors = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:294:strbuf_write]
D: probe_file: iot (1) < IOV_MAX (1024) [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:305:strbuf_write]
D: probe_file: ioc = 1 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:321:strbuf_write]
D: probe_file: total bytes written: 53 [probe_file(31772):probe_worker(7f3d419ca700):strbuf.c:338:strbuf_write]
D: probe_file: name=reply-id, value=0x7f3d3400ab70 [probe_file(31772):probe_worker(7f3d419ca700):seap-message.c:76:SEAP_msg_free]
D: oscap:     return from select [oscap(31664):oscap(7ffad609c840):seap-packet.c:637:SEAP_packet_recv]
D: oscap:     Received packet [oscap(31664):oscap(7ffad609c840):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 24 ":reply-id" 24 (4 () () () ) ) [oscap(31664):oscap(7ffad609c840):seap-packet.c:903:SEAP_packet_recv]
D: oscap:     packet size: 464 [oscap(31664):oscap(7ffad609c840):seap-packet.c:904:SEAP_packet_recv]
D: oscap:     Message received. [oscap(31664):oscap(7ffad609c840):oval_probe_ext.c:586:oval_probe_comm]
D: oscap:     name=(null), value=0x55fe1ac9c420 [oscap(31664):oscap(7ffad609c840):seap-message.c:76:SEAP_msg_free]
I: oscap:     Test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1' requires that every object defined by 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' exists on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap:     0 objects defined by 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' exist on the system. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap:     No item matching object 'oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1' was found on the system. (flag=does not exist) [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:867:_oval_result_test_evaluate_items]
I: oscap:   Test 'oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap: Definition 'oval:ssg-file_permissions_grub2_cfg:def:1' evaluated as false. [oscap(31664):oscap(7ffad609c840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_bootloader_password'. [oscap(31664):oscap(7ffad609c840):xccdf_policy.c:1111:xccdf_policy_item_evaluate]
Result  fail

Comment 15 Watson Yuuma Sato 2018-05-18 16:16:17 UTC
Thank you for the output, Koen Diels.

Two questions,

It looks like file "/boot/grub2/grub.cfg exists, and has permissions 644, while it should be 600. However, in description it is stated that this file doesn't exist, is this the file created while testing and debugging?

Also, I can see that while checking for file "/boot/efi/EFI/redhat/grub.cfg", the log states that it is owned by root and it could not be found.
Please make sure that you are running the scan as root user.

Comment 17 Watson Yuuma Sato 2018-05-18 16:41:44 UTC
Looking into it with more attention, "/boot/grub2/grub.cfg" is owned by root and oscap can access it.

So access to "/boot/efi/EFI/redhat/grub.cfg" should not be a problem.
Can you confirm that "/boot/efi/EFI/redhat/grub.cfg" exists?

If it really exists, we have a bug regarding access to this file.

Comment 18 vijsingh 2018-05-18 16:58:42 UTC
(In reply to Watson Yuuma Sato from comment #17)
> Looking into it with more attention, "/boot/grub2/grub.cfg" is owned by root
> and oscap can access it.
> 
> So access to "/boot/efi/EFI/redhat/grub.cfg" should not be a problem.
> Can you confirm that "/boot/efi/EFI/redhat/grub.cfg" exists?
> 
> If it really exists, we have a bug regarding access to this file.

If create the file manually and provide '600' permission to it it's showing the result "Pass" however on 'grub-efi system this file does not exists by default.

Also by default the permission on "/boot/efi/EFI/redhat/grub.cfg" is "700" .


When check the client system report it always shows below in Description for rule ID "xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg"

~~~~~~~~~~~~~~~~~
File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command:

$ sudo chmod 600 /boot/grub2/grub.cfg
~~~~~~~~~~~~~~~~~

As it's 'grub-efi system so should not ask for permission change on "/boot/grub2/grub.cfg" ...

Comment 19 Koen Diels 2018-05-22 09:13:48 UTC
Did actually anyone use this profiles before releasing them? I'm now trying to remediate the password requirements and although I followed the remediation guide the check keeps failing with no apparent reason.

Comment 20 Koen Diels 2018-05-22 12:56:43 UTC
(In reply to Koen Diels from comment #19)
> Did actually anyone use this profiles before releasing them? I'm now trying
> to remediate the password requirements and although I followed the
> remediation guide the check keeps failing with no apparent reason.

using the script from generate fix works. So the only check that I have to get around now tot get all green is the grub.cfg permissions one.

Comment 22 Watson Yuuma Sato 2018-05-24 08:30:20 UTC
Hello,

I have checked the provided logs, and run tests and I don't understand how rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg is failing.

I have checked the definitions, and it looks into both locations, "/boot/grub2/grub.cfg" and "/boot/efi/EFI/redhat/grub.cfg", if any of them exists and has the correct permissions, it will pass. For the former, permission 600 is required, and for the latter, 700 is enough.


Another alternative is to tailor, or edit the datastream, and swap rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg for xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg, which will check only the EFI location.

Note: I have noticed that there is a typo in prose of Rule file_permissions_efi_grub2_cfg, it will mention permission 600 but it actually checks for permission 700 or stronger.

Comment 23 Koen Diels 2018-05-24 08:48:15 UTC
700 doesn't work either. And we are in a mixed BIOS/UEFI environment so just dropping BIOS test is not a good work around.

Comment 25 Watson Yuuma Sato 2018-05-28 16:48:39 UTC
Hello Koen,

If profile is to scan both BIOS and UEFI systems rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg should be the appropriate for your, as it can handle config file for both systems.

But I still cannot reproduce your issue.
Can you provide scan with verbose DEVEL for both systems (BIOS and UEFI)? And also SOS report for both systems?

Thank you.

Comment 26 vijsingh 2018-05-29 13:26:01 UTC
Hello  Watson Yuuma Sato ,

SOS report has been upload over the case, Could you please check the same.

Comment 27 Watson Yuuma Sato 2018-05-29 14:48:40 UTC
Thank you for the information provided, they were really helpful.

From verbose output content used looks old, from previous version of scap-security-guide.

I see that on BIOS system, permission for "/boot/grub2/grub.cfg" is 644, when it should be 600 for the rule to pass.

On the UEFI system, "/boot/efi/EFI/redhat/grub.cfg" file exists, and has correct permissions, 700. But as content used for scan is old, the rule requires permission 600, thus failing the rule. 

Please, fix the permission for file "/boot/grub2/grub.cfg" in BIOS systems. Clean any cached openscap content, as suggested by Vijay. And scan again.

Comment 28 Koen Diels 2018-05-30 06:57:36 UTC
So how do I get my freshly installed Satellite 6.3 to use a recent openscap security guide? Because this one is just the one RedHat provided...

Comment 30 Ondřej Pražák 2018-06-01 08:21:34 UTC
Steps for updating the scap content:

1) update scap-security-guide package
2) upload new scap content into Sat6 from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
3) Create a completely new policy and apply it to a host using the uploaded scap content.
4) run puppet on client, it will make changes in /etc/foreman_scap_client/config.yaml. It will add a new policy entry and the :content_path: /var/lib/openscap/content/$digest.xml should have a different $digest when comparing the old and new policy.
5) try generating new report
6) delete the old policy and scap content if the new ones work as expected

Comment 31 Koen Diels 2018-06-01 08:34:59 UTC
Is there a reason why the default policies of Satellite aren't aligned with the system package? And now one test issue is solved and the next is introduced (a check that worked fine with the previous policy)

Enable SSH Server firewalld Firewall exception fails for absolutely no reason.

https://github.com/OpenSCAP/scap-security-guide/issues/2586

Comment 32 Marek Hulan 2018-06-01 09:06:49 UTC
The scap security guide and Satellite are not connected at all. We tell users they can use policies from ssg if they fit their needs, but they could use any other, such as their own or 3rd party ones. It's up to user to keep policies up to date.

For reporting issues on ssg, please use RHEL product in Bugzilla, ssg is not part of Satellite.

Comment 33 Watson Yuuma Sato 2018-06-01 11:54:26 UTC
Hello Koen,

> Enable SSH Server firewalld Firewall exception fails for absolutely no reason.
> https://github.com/OpenSCAP/scap-security-guide/issues/2586

Rule "set_firewalld_default_zone" will set default zone to be drop, so any network interface not explicitly assigned to a zone will have all its packages dropped, see https://bugzilla.redhat.com/show_bug.cgi?id=1478414 for more info.

To avoid that, Rule "firewalld_sshd_port_enabled" was added to profiles that set default zone of firewalld to drop.

Unfortunately, generic and reliable fix for rule "firewalld_sshd_port_enabled" is tricky to write.
Actually, the fix is as easy as assigning a network interface to a firewalld zone:

# firewall-cmd --zone=FIREWALLD_SSHD_ZONE --add-interface=NETWORK_INTERFACE
# firewall-cmd --reload

But hard part is to determine appropriate values for FIREWALLD_SSHD_ZONE and FIREWALLD_SSHD_ZONE, as configuration can vary from system to system.

FIREWALLD_SSHD_ZONE is the firewalld zone in wich ssh service is allowed,
NETWORK_INTERFACE is the interface from ssh connections shall be received.


Note You need to log in before you can comment on or make changes to this bug.