Description of problem:
Similar to (https://bugzilla.redhat.com/show_bug.cgi?id=1723994) but regarding audit rules for DAC controls.
From SCAP-Workbench, I ran the "OSPP - Protection Profile for General Purpose Operating Systems (187)" against a default AWS RHEL8 image. It had many failures, including the audit rules in the original entry. From this, I generated an Ansible remediation script and applied. I manually added the lines from Watson Sato from above Bugzilla to my /etc/audit/rules.d/mycompany.rules. I also manually restarted the audit service and verified that the new rulesets appeared in /etc/audit/audit.rules.
On rerunning the SCAP scan, none of the errors relating to audit show as remediated. However, the remediation script appears to have worked.
Version-Release number of selected component (if applicable):
Always reproducible after running scan.
Steps to Reproduce:
1. Install SCAP-Workbench and SCAP Security Guide.
2. From SCAP-Workbench, load the RHEL8 profile.
3. Choose the OSPP - Protection Profile for General Purpose Operating Systems
4. Add the remote system
5. Press Scan
6. Save the remediation file (remediation.yml)
7. Apply remediation (ansible-playbook remediation.yml)
8. Rerun the scan
Audit results still show that failures are unremediated.
Results should show that the failures are remediated. From a spot check of several rules for the auditd demon, the remediation script does appear to be working but the SCAP-Workbench is showing false positives.
On manual check, I confirmed that the audit rule is working by tailing /var/log/audit.log then creating a file and chmod'ing (touch foo; chmod 650 foo).
type=SYSCALL msg=audit(1565293919.182:48514): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55a39281f670 a2=1b5 a3=fff items=1 ppid=10210 pid=10254 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=60 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"ARCH=x86_64 SYSCALL=fchmodat AUID="ec2-user" UID="ec2-user" GID="ec2-user" EUID="ec2-user" SUID="ec2-user" FSUID="ec2-user" EGID="ec2-user" SGID="ec2-user" FSGID="ec2-user"
type=CWD msg=audit(1565293919.182:48514): cwd="/home/ec2-user"
Looks like same as this:
I have changed the category - scap-workbench is just a GUI for OpenSCAP scanner, and the problem comes from wrong combination of check and remediation in the content, so it is a scap-security-guide issue.
The link from your previous comment is supposed to be fixed in RHEL8 as it is based on a later upstream issue, so this one is something else.
You have not explicitly mentioned whether the system in question is a freshly installed one, or whether it already has some configuration changes, could you pleas clarify that?
And finally, if you are a RHEL subscriber, could you please reach to the customer support and open a case that could be attached to this Bugzilla?
Matěj: Thank you for the response.
The remediation was run on a freshly installed RHEL8 from Amazon AWS Marketplace. I believe that this image is Red Hat maintained. No other configurations were added except to install the scanner.
I will open a case through the Portal.
Support Case https://access.redhat.com/support/cases/#/case/02452733 added.
This has been addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1723466 where the audit rules have been drastically simplified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.