Bug 1739242 - False positives for audit rules after remediation
Summary: False positives for audit rules after remediation
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: ---
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 8.1
Assignee: Matěj Týč
QA Contact: Matus Marhefka
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-08 20:14 UTC by Kwan Lowe
Modified: 2020-11-14 05:46 UTC (History)
3 users (show)

Fixed In Version: scap-security-guide-0.1.46-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-05 21:17:09 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3453 0 None None None 2019-11-05 21:17:16 UTC

Description Kwan Lowe 2019-08-08 20:14:42 UTC
Description of problem:
Similar to (https://bugzilla.redhat.com/show_bug.cgi?id=1723994) but regarding audit rules for DAC controls.

From SCAP-Workbench, I ran the "OSPP - Protection Profile for General Purpose Operating Systems (187)" against a default AWS RHEL8 image. It had many failures, including the audit rules in the original entry. From this, I generated an Ansible remediation script and applied.  I manually added the lines from Watson Sato from above Bugzilla to my /etc/audit/rules.d/mycompany.rules. I also manually restarted the audit service and verified that the new rulesets appeared in /etc/audit/audit.rules.

On rerunning the SCAP scan, none of the errors relating to audit show as remediated. However, the remediation script appears to have worked.

Version-Release number of selected component (if applicable):

How reproducible:
Always reproducible after running scan.

Steps to Reproduce:
1. Install SCAP-Workbench and SCAP Security Guide. 
2. From SCAP-Workbench, load the RHEL8 profile.
3. Choose the OSPP - Protection Profile for General Purpose Operating Systems
4. Add the remote system
5. Press Scan
6. Save the remediation file (remediation.yml)
7. Apply remediation (ansible-playbook remediation.yml)
8. Rerun the scan

Actual results:

Audit results still show that failures are unremediated. 

Expected results:
Results should show that the failures are remediated.  From a spot check of several rules for the auditd demon, the remediation script does appear to be working but the SCAP-Workbench is showing false positives.

Additional info:

Comment 1 Kwan Lowe 2019-08-08 20:15:43 UTC
On manual check, I confirmed that the audit rule is working by tailing /var/log/audit.log then creating a file and chmod'ing (touch foo; chmod 650 foo).

type=SYSCALL msg=audit(1565293919.182:48514): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55a39281f670 a2=1b5 a3=fff items=1 ppid=10210 pid=10254 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=60 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"ARCH=x86_64 SYSCALL=fchmodat AUID="ec2-user" UID="ec2-user" GID="ec2-user" EUID="ec2-user" SUID="ec2-user" FSUID="ec2-user" EGID="ec2-user" SGID="ec2-user" FSGID="ec2-user"
type=CWD msg=audit(1565293919.182:48514): cwd="/home/ec2-user"

Comment 2 Kwan Lowe 2019-08-19 16:09:33 UTC
Looks like same as this:


Comment 3 Matěj Týč 2019-08-20 09:15:03 UTC
I have changed the category - scap-workbench is just a GUI for OpenSCAP scanner, and the problem comes from wrong combination of check and remediation in the content, so it is a scap-security-guide issue.

The link from your previous comment is supposed to be fixed in RHEL8 as it is based on a later upstream issue, so this one is something else.

You have not explicitly mentioned whether the system in question is a freshly installed one, or whether it already has some configuration changes, could you pleas clarify that?
And finally, if you are a RHEL subscriber, could you please reach to the customer support and open a case that could be attached to this Bugzilla?

Comment 4 Kwan Lowe 2019-08-20 14:35:25 UTC
Matěj:  Thank you for the response.

The remediation was run on a freshly installed RHEL8 from Amazon AWS Marketplace. I believe that this image is Red Hat maintained. No other configurations were added except to install the scanner.

I will open a case through the Portal.

Thank you!

Comment 5 Kwan Lowe 2019-08-20 14:47:08 UTC
Support Case https://access.redhat.com/support/cases/#/case/02452733 added.

Comment 7 Matěj Týč 2019-09-11 14:48:08 UTC
This has been addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1723466 where the audit rules have been drastically simplified.

Comment 11 errata-xmlrpc 2019-11-05 21:17:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.