1723994 – Audit checks produce false positive on some rules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1723994 - Audit checks produce false positive on some rules

Summary: Audit checks produce false positive on some rules

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-26 00:44 UTC by Basil Wallace
Modified:	2023-03-24 14:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-01 10:23:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
tailoring file for this oscap command (46.22 KB, application/xml) 2019-06-26 00:44 UTC, Basil Wallace	no flags	Details
View All

Description Basil Wallace 2019-06-26 00:44:30 UTC

Created attachment 1584527 [details]
tailoring file for this oscap command

Description of problem:
False negatives are produced for the following rules:
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
xccdf_org.ssgproject.content_rule_audit_rules_login_events
CCE-27129-6
CCE-27204-7

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-13

How reproducible:
Easily

Steps to Reproduce:
1. Add rules to /etc/audit/rules.d/*.rules as needed per CCE. Restart machine to take effect

2. Run oscap against the tailoring file provided in the attachments as follows:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --tailoring-file ./ssg-rhel7-ds-tailoring_SE.xml --results results_file.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml  > oscap-out.log

Actual results:
grep -A 1 -B 2 -E "CCE-27204-7|CCE-27129-6" oscap-out.log
Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  fail
--
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7
Result  fail



Expected results:
Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  pass
--
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7
Result  pass


Additional info:
CCE-27204-7 seems to be an error with the documented remediation for this CCE.
Title   Record Attempts to Alter Logon and Logout Events
Rule    xccdf_org.ssgproject.content_rule_audit_rules_login_events
Ident   CCE-27204-7


The following audit rules are the documented resolve and will fail the scan:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins


The following audit rules will pass the scan:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins



CCE-27129-6 appears to be a problem with the fix_audit_syscall_rule function.
The function will return a 0 or 1 which determines the pass/fail of the CCE, and this function does not enter a case to change $retval to 1 if the rule exists.

Comment 2 Watson Yuuma Sato 2019-06-27 14:02:42 UTC

Hello Basil,

Are you remediating the system manually? Or using the fix scripts provided by scap-security-guide?

There is BZ tracking an issue for rule audit_rules_kernel_module_loading: https://bugzilla.redhat.com/show_bug.cgi?id=1658136
In summary, the rule description is incorrect. The rule will be fixed in next release, as a workaround, the following audit rules can be added:

-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules
-a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules

Could you please check if rule passes with above audit rules?


Regarding rule audit_rules_login_events, https://bugzilla.redhat.com/show_bug.cgi?id=1574586 is tracking a similar issue, but is not fixed yet.
Thank you for the note on "fix_audit_syscall_rule function, I'll add the same note to the mentioned BZ.

Comment 3 Basil Wallace 2019-06-27 23:41:51 UTC

Hi Watson,

Can confirm:

-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=32 -S init_module -S delete_module -S finit_module -S create_module -F key=modules
-a always,exit -F arch=64 -S init_module -S delete_module -S finit_module -S create_module -F key=modules

Added into either:
/etc/audit/audit.rules
/etc/audit/rules.d/*.rules

Does not result in the desired outcome for CCE-27129-6


Title   Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule    xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Ident   CCE-27129-6
Result  fail

Comment 4 Basil Wallace 2019-06-27 23:56:39 UTC

Hi Watson,

I should add:
Customer is running the security audit, then remediating the systems manually later during patch window.

Comment 6 Matěj Týč 2019-08-22 09:52:17 UTC

Just to get it straight, what this issue describes is a false positive - although the system is compliant, the scanner erroneously finds out that it isn't.

Comment 9 Watson Yuuma Sato 2020-02-19 16:02:30 UTC

Vojta, when you have free cycles can you check this BZ as well?
It may be the case that this is fixed in latest upstream.

Comment 11 Vojtech Polasek 2020-04-01 10:23:15 UTC

as 7.8 went GA today, I am closing this bug.

Note You need to log in before you can comment on or make changes to this bug.