Bug 1643148 - All SCAP rules not applied after upgrading to RHEL 7.6
Summary: All SCAP rules not applied after upgrading to RHEL 7.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.0
Assignee: Nick Carboni
QA Contact: Satyajit Bulage
Red Hat CloudForms Documentation
URL:
Whiteboard: upgrade:black
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-25 15:24 UTC by luke couzens
Modified: 2019-02-07 23:04 UTC (History)
8 users (show)

Fixed In Version: 5.10.0.24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-07 23:03:55 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:04:00 UTC

Comment 5 Nick Carboni 2018-11-09 21:35:44 UTC
It looks like the check might be flawed in this case.

The rule "Ensure auditd Collects Information on Kernel Module Loading and Unloading" seems to be satisfied even though the report shows it is not:

[root@localhost audit]# cat audit.rules  | grep module
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
[root@localhost audit]# cat rules.d/modules.rules 
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules

The rule "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)" is also satisfied despite the report:

[root@localhost audit]# cat audit.rules  | grep creat
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
[root@localhost audit]# cat rules.d/access.rules 
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

Also, as per https://github.com/ComplianceAsCode/content/pull/971 the RDS and TIPC modules are no longer included in the rhel7 kernel so I'll create a PR to remove those rules.

Comment 12 Nick Carboni 2018-12-19 15:13:55 UTC
Satyajit,

I'm not sure what you're asking. I looked at the appliance you provided and the bugs look fixed on that appliance based on the output I posted.
I am aware that the report is incorrect, but that is irrelevant. Is there something that you think still requires fixing?

Nick

Comment 13 Satyajit Bulage 2019-01-14 16:39:33 UTC
After enabling SCAP on appliance, I can see the files in the appliance, as per comment 10

Verified Version: 5.10.0.31.20190108221820_a0968c8

Comment 14 errata-xmlrpc 2019-02-07 23:03:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212


Note You need to log in before you can comment on or make changes to this bug.