Dammit. Hit the <RETURN> key mid-stream and it submitted the bug prematurely. At any rate:


Description of problem:

When one runs the `oscap` utility using the `C2S` profile, it declares a finding for the `sshd_set_loglevel_info` which, arguably, shouldn't even be in that profile

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.40-12

How reproducible:

Install the latest oscap utilities and scap-security-guide packages and run a scan/remediation with the "C2S" profile selected


Actual results:

The `sshd_set_loglevel_info`, even though the requested value is the sshd service's default.

Expected results:

Since test is only prescribed via CIS Benchmark ID 5.2.3 rather than anything in the EL7 STIGS hosted on the IASE site, test probably should be removed from the C2S profile. Failing that:
If sshd_config left at default, the test should succeed.
If sshd_config value is set to a higher level (say, "VERBOSE") test should continue to succeed


Additional info:

The `sshd_set_loglevel_info` presence in the C2S profile predates the release of either the non-beta or the latest-and-greatest STIG for EL7 (January 2019 release). Since it's not prescribed and the C2S profile *should* be aligning to the STIGs rather than CIS, it should only implement STIG guidance. STIG omits this CIS benchmark, presumably because it's the vendor's default setting in RHEL 7.

The U.S. Government Commercial Cloud Services (C2S) baseline is not based off of the STIG and is only based off of the CIS benchmarks. This is by design. So, really the OVAL just needs to be updated.

(In reply to ralford from comment #4)
> The U.S. Government Commercial Cloud Services (C2S) baseline is not based
> off of the STIG and is only based off of the CIS benchmarks. This is by
> design. So, really the OVAL just needs to be updated.

More specifically, the C2S profile aligns with the US Government's Commercial Cloud Services (C2S) environment. The CIA controls those requirements, and at the time of profile creation, used the Center for Internet Security as inspiration for their Linux baseline. We can double check with the CIA if they've refreshed their requirements either to a newer version of CIS, or switched over to DoD STIG.

In the mean time, if the current OVAL is giving a false finding for when the system exceeds the required security setting, this appears to be a valid bug in the content which should be addressed immediately.

With https://github.com/ComplianceAsCode/content/pull/4624 the check for `sshd_set_loglevel_info` is aware that "LogLevel INFO" is default and passes when it is not in the config file.

Note, the fix doesn't address super compliant setting, i.e. the rule will does not pass when loglevel is VERBOSE.

Verified for scap-security-guide-0.1.46-1.el7.noarch.
Tested with C2S profile on RHEL 7.8 and it's passing when LogLevel is set to INFO or LogLevel is missing (default value is used).

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019