1823576 – OpenSCAP ssh rules content_rule_sshd_do_not_permit_user_env content_rule_sshd_allow_only_protocol2 failing after upgrade

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1823576 - OpenSCAP ssh rules content_rule_sshd_do_not_permit_user_env content_rule_sshd_allow_only_protocol2 failing after upgrade

Summary: OpenSCAP ssh rules content_rule_sshd_do_not_permit_user_env content_rule_sshd...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.8
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	Matus Marhefka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-13 22:53 UTC by Elana Hashman
Modified:	2020-09-29 19:53 UTC (History)
CC List:	7 users (show)
Fixed In Version:	scap-security-guide-0.1.49-5.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 19:52:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3909	0	None	None	None	2020-09-29 19:53:00 UTC

Description Elana Hashman 2020-04-13 22:53:26 UTC

Description of problem:

Since upgrading openscap-scanner from 1.2.17-4.el7 to 1.2.17-9.el7, the following rules are now failing in an OpenSCAP scan:

xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2

However, I have verified that neither rule should be failing: user environments are not permitted, and since we run RHEL 7 with openssh-server 7.4+ (7.4p1-21.el7 to be precise), the latter test is not applicable.

[ehashman@ehashman-test-vm ~]$ grep Protocol /etc/ssh/sshd_config 
[ehashman@ehashman-test-vm ~]$ grep 'PermitUser' /etc/ssh/sshd_config 
PermitUserEnvironment no


Version-Release number of selected component (if applicable): 1.2.17-9.el7


Expected results:

VM sshd settings are unchanged between versions of OpenSCAP and comply with benchmarks, hence rules should not be failing.


Additional info:

CI artifact with passing checks: https://storage.googleapis.com/origin-ci-test/logs/periodic-ci-azure-vmimage-validate-osa311-latest/194/artifacts/scap_report.html

SCAP version used to generate passing report: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/periodic-ci-azure-vmimage-validate-osa311-latest/194#1:build-log.txt%3A49

CI artifact with failing checks: https://storage.googleapis.com/origin-ci-test/logs/periodic-ci-azure-vmimage-validate-osa311-latest/200/artifacts/scap_report.html

SCAP version used to generate failing report: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/periodic-ci-azure-vmimage-validate-osa311-latest/200#1:build-log.txt%3A49

Comment 2 Vojtech Polasek 2020-04-14 09:31:53 UTC

Hello,
from your logs I can see that during the task when the checks were still passing, you installed:
 openscap-scanner       x86_64    1.2.17-4.el7      rhel-7-server-rpms     62 k
and
 scap-security-guide    noarch    0.1.43-13.el7     rhel-7-server-rpms    3.3 M
Whereas during the task when checks are failing you installed
 openscap-scanner       x86_64    1.2.17-9.el7      rhel-7-server-rpms     62 k
and
 scap-security-guide    noarch    0.1.46-11.el7     rhel-7-server-rpms    7.4 M
That means that not only the version of Openscap is different but also the version of scap-security-guide has changed.
Could you please use updated Openscap (1.2.17-9) with older content (0.1.43-13)? Maybe the problem is in content and not in scanner.
Thank you.

Comment 3 Jan Černý 2020-04-14 12:43:50 UTC

From the attached logs I can see that openscap was updated from 1.2.17-4.el7 to 1.2.17-9.el7 and scap-security-guide was updated from 0.1.43-13.el7 to 0.1.46-11.el7. That's an upgrade from RHEL 7.7 to RHEL 7.8. The changelog between openscap 1.2.17-4.el7 and 1.2.17-9.el7 doesn't contain anything related. However, the scap-security-guide package changed a lot between the 2 versions. The changes include rebase to new upstream release. I compared the 2 rules and their implementation in scap-security-guide 0.1.43-13.el7 and 0.1.46-11.el7.

Rule xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env has changed the OVAL implementation in upstream and due to rebase also in RHEL. It started to use Jinja macros in 117db277282f527561ca0ee09a91e0d0c21e90ff and later started to use templates in fc8099b33af6bacb26ec09e7f12da0aa68345148. There was a mistake during the conversion. The check in 0.1.46-11.el7 wrongly checks for `PermitUserEnvironment yes` instead of `PermitUserEnvironment no`. The swapped value probably causes the false positive result in this case. This problem has already been fixed in upstream by f4c3281f797757b07b5e101be7b61e48272a9ece (introduced by https://github.com/ComplianceAsCode/content/pull/5087).

Rule xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 is a similar bug. The implementation has been converted to Jinja and then to templates by the same two upstream commits as the previous rule. In the old version, a part of the check used to be a test if openssh-server package is version 7.4 or newer. This check was removed during the conversion, which was probably an omission. It seems it shouldn't be removed. As the warning in the rule description says, the OpenSSH 7.4 and newer don't support older protocol, it supports only protocol version 2. It isn't needed to configure the protocol version explicitly in the sshd configuration file. The man page even doesn't contain the protocol version. But, the check in the new version of scap-security-guide explicitly check for presence of "Protocol 2" in sshd configuration file. That's a misalignment with the rule description. We have discussed this briefly and we think that the rule shouldn't have been converted to templates. We think that a fix should be reverting the OVAL for this rule to the old form.

Switching the BZ to the correct component.

Comment 4 Elana Hashman 2020-04-14 15:23:35 UTC

Thanks Jan and Vojtech for your help with targeting the correct component here. I will disable these rules in the interim until this gets fixed. Appreciate your assistance!

Comment 5 Jan Černý 2020-04-16 07:53:35 UTC

Fixed upstream by:
- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env: https://github.com/ComplianceAsCode/content/pull/5087
- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2: https://github.com/ComplianceAsCode/content/pull/5582

Comment 12 errata-xmlrpc 2020-09-29 19:52:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909

Note You need to log in before you can comment on or make changes to this bug.