RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1739242 - False positives for audit rules after remediation
Summary: False positives for audit rules after remediation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: ---
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Matěj Týč
QA Contact: Matus Marhefka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-08 20:14 UTC by Kwan Lowe
Modified: 2020-11-14 05:46 UTC (History)
3 users (show)

Fixed In Version: scap-security-guide-0.1.46-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 21:17:09 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3453 0 None None None 2019-11-05 21:17:16 UTC

Description Kwan Lowe 2019-08-08 20:14:42 UTC
Description of problem:
Similar to (https://bugzilla.redhat.com/show_bug.cgi?id=1723994) but regarding audit rules for DAC controls.

From SCAP-Workbench, I ran the "OSPP - Protection Profile for General Purpose Operating Systems (187)" against a default AWS RHEL8 image. It had many failures, including the audit rules in the original entry. From this, I generated an Ansible remediation script and applied.  I manually added the lines from Watson Sato from above Bugzilla to my /etc/audit/rules.d/mycompany.rules. I also manually restarted the audit service and verified that the new rulesets appeared in /etc/audit/audit.rules.

On rerunning the SCAP scan, none of the errors relating to audit show as remediated. However, the remediation script appears to have worked.

Version-Release number of selected component (if applicable):


How reproducible:
Always reproducible after running scan.

Steps to Reproduce:
1. Install SCAP-Workbench and SCAP Security Guide. 
2. From SCAP-Workbench, load the RHEL8 profile.
3. Choose the OSPP - Protection Profile for General Purpose Operating Systems
4. Add the remote system
5. Press Scan
6. Save the remediation file (remediation.yml)
7. Apply remediation (ansible-playbook remediation.yml)
8. Rerun the scan

Actual results:

Audit results still show that failures are unremediated. 

Expected results:
Results should show that the failures are remediated.  From a spot check of several rules for the auditd demon, the remediation script does appear to be working but the SCAP-Workbench is showing false positives.

Additional info:

Comment 1 Kwan Lowe 2019-08-08 20:15:43 UTC
On manual check, I confirmed that the audit rule is working by tailing /var/log/audit.log then creating a file and chmod'ing (touch foo; chmod 650 foo).

type=SYSCALL msg=audit(1565293919.182:48514): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55a39281f670 a2=1b5 a3=fff items=1 ppid=10210 pid=10254 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=60 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"ARCH=x86_64 SYSCALL=fchmodat AUID="ec2-user" UID="ec2-user" GID="ec2-user" EUID="ec2-user" SUID="ec2-user" FSUID="ec2-user" EGID="ec2-user" SGID="ec2-user" FSGID="ec2-user"
type=CWD msg=audit(1565293919.182:48514): cwd="/home/ec2-user"

Comment 2 Kwan Lowe 2019-08-19 16:09:33 UTC
Looks like same as this:

https://bugzilla.redhat.com/show_bug.cgi?id=1465675

Comment 3 Matěj Týč 2019-08-20 09:15:03 UTC
I have changed the category - scap-workbench is just a GUI for OpenSCAP scanner, and the problem comes from wrong combination of check and remediation in the content, so it is a scap-security-guide issue.

The link from your previous comment is supposed to be fixed in RHEL8 as it is based on a later upstream issue, so this one is something else.

You have not explicitly mentioned whether the system in question is a freshly installed one, or whether it already has some configuration changes, could you pleas clarify that?
And finally, if you are a RHEL subscriber, could you please reach to the customer support and open a case that could be attached to this Bugzilla?

Comment 4 Kwan Lowe 2019-08-20 14:35:25 UTC
Matěj:  Thank you for the response.

The remediation was run on a freshly installed RHEL8 from Amazon AWS Marketplace. I believe that this image is Red Hat maintained. No other configurations were added except to install the scanner.

I will open a case through the Portal.

Thank you!

Comment 5 Kwan Lowe 2019-08-20 14:47:08 UTC
Support Case https://access.redhat.com/support/cases/#/case/02452733 added.

Comment 7 Matěj Týč 2019-09-11 14:48:08 UTC
This has been addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1723466 where the audit rules have been drastically simplified.

Comment 11 errata-xmlrpc 2019-11-05 21:17:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3453


Note You need to log in before you can comment on or make changes to this bug.