Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1723994

Summary: Audit checks produce false positive on some rules
Product: Red Hat Enterprise Linux 7 Reporter: Basil Wallace <bwallace>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: ggasparb, matyc, mhaicman, openscap-maint, thgardne, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 10:23:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
tailoring file for this oscap command none

Description Basil Wallace 2019-06-26 00:44:30 UTC 
Created attachment 1584527 [details]
tailoring file for this oscap command

Description of problem:
False negatives are produced for the following rules:
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
xccdf_org.ssgproject.content_rule_audit_rules_login_events
CCE-27129-6
CCE-27204-7

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-13

How reproducible:
Easily

Steps to Reproduce:
1. Add rules to /etc/audit/rules.d/*.rules as needed per CCE. Restart machine to take effect

2. Run oscap against the tailoring file provided in the attachments as follows:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --tailoring-file ./ssg-rhel7-ds-tailoring_SE.xml --results results_file.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml  > oscap-out.log

Actual results:
grep -A 1 -B 2 -E "CCE-27204-7|CCE-27129-6" oscap-out.log
Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  fail
--
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7
Result  fail



Expected results:
Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  pass
--
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7
Result  pass


Additional info:
CCE-27204-7 seems to be an error with the documented remediation for this CCE.
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7


The following audit rules are the documented resolve and will fail the scan:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins


The following audit rules will pass the scan:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins



CCE-27129-6 appears to be a problem with the fix_audit_syscall_rule function.
The function will return a 0 or 1 which determines the pass/fail of the CCE, and this function does not enter a case to change $retval to 1 if the rule exists.
Comment 2 Watson Yuuma Sato 2019-06-27 14:02:42 UTC 
Hello Basil,

Are you remediating the system manually? Or using the fix scripts provided by scap-security-guide?

There is BZ tracking an issue for rule audit_rules_kernel_module_loading: https://bugzilla.redhat.com/show_bug.cgi?id=1658136
In summary, the rule description is incorrect. The rule will be fixed in next release, as a workaround, the following audit rules can be added:

-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules
-a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules

Could you please check if rule passes with above audit rules?


Regarding rule audit_rules_login_events, https://bugzilla.redhat.com/show_bug.cgi?id=1574586 is tracking a similar issue, but is not fixed yet.
Thank you for the note on "fix_audit_syscall_rule function, I'll add the same note to the mentioned BZ.
Comment 3 Basil Wallace 2019-06-27 23:41:51 UTC 
Hi Watson,

Can confirm:

-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules
-a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules

Added into either:
/etc/audit/audit.rules
/etc/audit/rules.d/*.rules

Does not result in the desired outcome for CCE-27129-6


Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  fail
Comment 4 Basil Wallace 2019-06-27 23:56:39 UTC 
Hi Watson,

I should add:
Customer is running the security audit, then remediating the systems manually later during patch window.
Comment 6 Matěj Týč 2019-08-22 09:52:17 UTC 
Just to get it straight, what this issue describes is a false positive - although the system is compliant, the scanner erroneously finds out that it isn't.
Comment 9 Watson Yuuma Sato 2020-02-19 16:02:30 UTC 
Vojta, when you have free cycles can you check this BZ as well?
It may be the case that this is fixed in latest upstream.
Comment 11 Vojtech Polasek 2020-04-01 10:23:15 UTC 
as 7.8 went GA today, I am closing this bug.