RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1858866 - Rule Id xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd not matching the CIS 6.1.6 requirement
Summary: Rule Id xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.2
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: 8.0
Assignee: Vojtech Polasek
QA Contact: BaseOS QE Security Team
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-20 15:54 UTC by jtougne
Modified: 2021-04-08 19:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.File permissions of `/etc/passwd-` are not aligned with the CIS RHEL 8 Benchmark 1.0.0 Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures permissions on the `/etc/passwd-` backup file configures permissions to `0644`. However, the `CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0` requires file permissions `0600` for that file. As a consequence, the file permissions of `/etc/passwd-` are not aligned with the benchmark after remediation.
Clone Of:
Environment:
Last Closed: 2020-08-03 08:49:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
CIS rule for /etc/passwd- (203.33 KB, image/png)
2020-07-20 15:54 UTC, jtougne 		no flags Details
View All

Description jtougne 2020-07-20 15:54:45 UTC 
Created attachment 1701783 [details]
CIS rule for /etc/passwd-

Description of problem:

Hi,
I loaded the CIS rules for RHEL8 without any tailoring. Looking at this one: xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd

The description says:
To properly set the permissions of /etc/passwd-, run the command: $ sudo chmod 0644 /etc/passwd-


Looking at the CIS benchmark for RHEL8 V1.0.0, the rule actually says:
6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)


# chown root:root /etc/passwd-
# chmod u-x,go-rwx /etc/passwd-
(it's a chmod 0600).


Version-Release number of selected component (if applicable):
scap-security-guide.noarch   0.1.50-7.el8                                                              

How reproducible:
Load the CIS rule, remediate using ansible, run another auditing tool like tripwire checking compliance with CIS 1.0.0 for RHEL8. It will fail because the /etc/passwd- (backup file) has chmod 0644 and not 0600.

Steps to Reproduce:
1.
2.
3.

Actual results:
/etc/passwd- is 0644

Expected results:
CIS says in 6.1.6 it should be 0600.

Additional info:
We have no variable we can modify, to manually change to 0600 instead of 0640.
Since I loaded only the rules for CIS for RHEL8, it should be matching. If that rule is required by another standard, then it should have a variable, allowing the user to fix it for CIS.
Comment 1 Gabriel Gaspar Becker 2020-07-20 16:59:07 UTC 
This is a known issue on CIS benchmarks for RHEL8. If you look the same equivalent requirement for RHEL7 you will see permissions 0644 or stricter there. We have opened a ticket on CIS system to track this issue already.

The issue here is that the package responsible for creating the backup file /etc/passwd- always creates with 0644 which is the same permissions of the actual configuration file /etc/passwd.
Comment 2 Vojtech Polasek 2020-08-03 08:49:21 UTC 
I am closing this as won't fix as this is an issue of CIS benchmark.
Note You need to log in before you can comment on or make changes to this bug.