RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1884687 - Openscap protection profile rules for rhel 8 are always notchecked.
Summary: Openscap protection profile rules for rhel 8 are always notchecked.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: ---
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Marcus Burghardt
QA Contact: Milan Lysonek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-02 16:29 UTC by Jaskaran Singh Narula
Modified: 2022-05-10 14:42 UTC (History)
8 users (show)

Fixed In Version: scap-security-guide-0.1.59-1.el8
Doc Type: Enhancement
Doc Text:
.SSG now scans and remediates rules for home directories and interactive users OVAL content to check and remediate all existing rules related to home directories used by interactive users was added to the SCAP Security Guide (SSG) suite. Many benchmarks require verification of properties and content usually found within home directories of interactive users. Because the existence and the number of interactive users in a system may vary, there was previously no robust solution to cover this gap using the OVAL language. This update adds OVAL checks and remediations that detect local interactive users in a system and their respective home directories. As a result, SSG can safely check and remediate all related benchmark requirements.
Clone Of:
Environment:
Last Closed: 2022-05-10 14:14:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1900 0 None None None 2022-05-10 14:14:44 UTC

Description Jaskaran Singh Narula 2020-10-02 16:29:51 UTC 
Description of problem:
For RHEL 8 scap content under the profile Protection Profile for General Purpose Operating System" are always notcheck/scaned. 

While using tailoring file also the rules are notchecked by the scan scanner. In the tailoring if specificaly these rules are mentioned they also rules are not checked. 

Even when profile is scanned through satellite or scap workbench results are same. 

Profile Name: Protection Profile for General Purpose Operating System
Rules:
------------
All Interactive Users Home Directories Must Exist	                            medium	 notchecked
All Interactive User Home Directories Must Be Group-Owned By The Primary User	medium	 notchecked
All Interactive User Home Directories Must Be Owned By The Primary User	        medium	 notchecked
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive    medium	 notchecked
--------------

Version-Release number of selected component (if applicable):
satellite-6.7.0-7.el7sat.noarch
scap-security-guide-0.1.46-11.el7.noarch
tfm-rubygem-foreman_openscap-2.0.2-1.el7sat.noarch
openscap-scanner-1.2.17-9.el7.x86_64
ansiblerole-foreman_scap_client-0.0.3-1.el7sat.noarch
puppet-foreman_scap_client-0.3.21-1.el7sat.noarch
openscap-1.2.17-9.el7.x86_64
rubygem-smart_proxy_openscap-0.7.2-1.el7sat.noarch
tfm-rubygem-hammer_cli_foreman_openscap-0.1.8-1.el7sat.noarch


How reproducible:
100% 

Steps to Reproduce:
1.
2.
3.

Actual results:
Rules are not checked.

Expected results:
Rules need to be checked and either result in pass or fail.  

Additional info:
Comment 1 Ondřej Pražák 2020-10-07 08:22:14 UTC 
Since Satellite has no control over how rules are evaluated during scan and the same results are achieved via workbench, I am moving this out of Satellite.
Comment 3 Jan Černý 2020-10-12 06:59:29 UTC 
All the rules mentioned in the attached customer case don't have any OVAL implemented.
Comment 4 Marek Haicman 2020-11-26 23:06:32 UTC 
Hello, as Jan already wrote in Comment 3, the `notchecked` means there was no automated check available to scan the machine state against the rule.

I'll just put a bit of clarity to the bug report. These rules are not part of the profile, they were selected on top of the profile. OVAL language, in which the checks are written is notoriously tricky. So quite a few rules in upstream project has only the textual parts, with the check missing. Due to sheer amount of rules that exists in the project for RHEL7 and RHEL8, it was not possible for us to cover all rules with checks. We were facing dilemma - remove those rules without check altogether, or keep them in the "unfinished" state. Our decision was to keep them, so users can at least have a guidance in human readable format.

I am writing this to explain that unfortunately this type of omissions is not an oversight, but deliberate decision regarding resources available. Thus a bit lower priority for us then let's say outdated or missing profiles. I won't close the BZ just yet, just don't hold your breath waiting for the fix.
Comment 6 Matěj Týč 2021-08-30 13:05:24 UTC 
Rules that are mentioned are:

accounts_user_interactive_home_directory_exists
file_ownership_home_directories
accounts_users_home_files_permissions
accounts_users_home_files_groupownership
file_permissions_home_directories
accounts_user_interactive_home_directory_defined
file_groupownership_home_directories
accounts_user_dot_user_ownership
accounts_umask_interactive_users

It is noteworthy that all of those rules are related to home directories, and many systems that use e.g. LDAP to store user data don't expose home directories names in a way that would be accessible to any implementation of the OVAL password test (see https://oval.mitre.org/language/version5.6/ovaldefinition/documentation/unix-definitions-schema.html), so it is difficult to automate checks for such rules.
Also keep in mind that user home directories may be located somewhere else than in the /home directory.
Comment 9 Marcus Burghardt 2021-11-12 14:58:16 UTC 
There are 4 PRs already merged into Upstream that together cover the aforementioned rules and some others also related to interactive user home directories:

https://github.com/ComplianceAsCode/content/pull/7770
file_groupownership_home_directories
file_ownership_home_directories
file_permissions_home_directories

https://github.com/ComplianceAsCode/content/pull/7790
accounts_user_interactive_home_directory_defined
accounts_user_interactive_home_directory_exists

https://github.com/ComplianceAsCode/content/pull/7824
accounts_users_home_files_groupownership
accounts_users_home_files_ownership
accounts_users_home_files_permissions

https://github.com/ComplianceAsCode/content/pull/7837
accounts_user_dot_user_ownership
accounts_user_dot_group_ownership
accounts_user_dot_no_world_writable_programs
accounts_umask_interactive_users

14 new rules covered in total.
Comment 23 errata-xmlrpc 2022-05-10 14:14:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1900
Note You need to log in before you can comment on or make changes to this bug.