RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
Rule `dir_perms_world_writable_root_owned` fails after installing RHEL7 (Server with GUI) with ANSSI profile. The finding is caused by the directory `/tmp/.ICE-unix/` which is not owned by root but by a user (with UID 1000). Normal installation (without ANSSI security profile) is not affected and the directory is correctly owned by the root user, so the ANSSI profile remediations must be causing this.


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.54-3.el7_9


How reproducible:
always


Steps to Reproduce:
1. Install RHEL-7.9 Server with GUI variant and select ANSSI security policy.
2. Scan system with openscap after installation.
3. Rule dir_perms_world_writable_root_owned is reported as fail.


Actual results:
Rule `dir_perms_world_writable_root_owned` fails after installing RHEL-7.9 with the ANSSI profile.


Expected results:
Rule `dir_perms_world_writable_root_owned` passes after installing RHEL-7.9 with the ANSSI profile.


Additional info:

Created attachment 1760670 [details]
HTML report from remediation during installation

Created attachment 1760671 [details]
HTML report from scan after installation

I can confirm that the issue is caused by the `accounts_polyinstantiated_tmp` rule, when this rule is unselected from the profile the issue does not occur.

This is caused by directory '/tmp/tmp-inst' (created by remediation of 'accounts_polyinstantiated_tmp') not persisting after install. Very likely because the installation occurs in a 'chroot'ed environment.

The workaround for this is to re-apply remediation for 'accounts_polyinstantiated_tmp':
$ oscap xccdf eval --remediate --profile anssi_nt28_intermediary --rule xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

When trying to learn more about the polyinstantiation (also in our docs), I have stumbled upon this blog by Huzaifa: https://access.redhat.com/blogs/766093/posts/3169121 and some other materials. All of them say the `tmp-inst` should be a root directory, not subdirectory of `/tmp/`. Are you sure the rule works as expected, Vojto?