Bug 2023569 - Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not actually remediate failed test results
Summary: Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Gabriel Gaspar Becker
QA Contact: Milan Lysonek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-16 03:53 UTC by kmoriguc
Modified: 2022-05-10 14:43 UTC (History)
6 users (show)

Fixed In Version: scap-security-guide-0.1.60-1.el8
Doc Type: Bug Fix
Doc Text:
.Descriptions for `restorecon` and `seunshare` SSG rules fixed Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the descriptions of these rules are aligned with the automated OVAL check. As a result, applying the fix recommended in the description now correctly fixes these rules.
Clone Of:
Environment:
Last Closed: 2022-05-10 14:15:29 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
A samle test result against RHEL 8.4 server (2.30 MB, text/html)
2021-11-16 03:53 UTC, kmoriguc 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-102881 0 None None None 2021-11-16 03:54:07 UTC
Red Hat Product Errata RHBA-2022:1900 0 None None None 2022-05-10 14:15:52 UTC

Description kmoriguc 2021-11-16 03:53:45 UTC 
Created attachment 1841934 [details]
A samle test result against RHEL 8.4 server

Description of problem:
Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not actually remediate failed test results

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch.rpm

How reproducible:
100%

Steps to Reproduce:
1. Run evaluation with:
Profile ID	xccdf_org.ssgproject.content_profile_ism_o 
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8

2. The test report includes failed results for 
- Record Any Attempts to Run restorecon
- Record Any Attempts to Run seunshare
Respective remediation is to add audit rules:
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged

3. Re-run of the evaluation will not remediate these two errors.
The actual audit rules required to remediate failed results are respectively:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Actual results:
"Description" in the test report do not remediate failed results.

Expected results:
"Description" in the test report remediates failed results.

Additional info:
Comment 2 Gabriel Gaspar Becker 2021-11-16 12:29:08 UTC 
Fix proposed upstream: https://github.com/ComplianceAsCode/content/pull/7885
Comment 20 errata-xmlrpc 2022-05-10 14:15:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1900
Note You need to log in before you can comment on or make changes to this bug.