Hide Forgot
Description of problem: The new RHEL 8.5 security guide has the updated CIS profile which include Level 1 and Level 2 for servers for RHEL 7 ~~~ # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml | grep -i cis WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server Id: xccdf_org.ssgproject.content_profile_cis Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server Id: xccdf_org.ssgproject.content_profile_cis_server_l1 Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1 Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2 ~~~ While performing SCAP scan from RHEL 8.5 system to RHEL 7.9 using oscap-sshd. The issue is that the Level 1 server profile has entries for separate /tmp partition but not the separate /var/tmp But Level 1 server profile also has rule for /var/tmp should have mount options of nosuid,noexec,nodev Since separate partition is not a requirement /var/tmp should not be requiring mount options like these. Version-Release number of selected component (if applicable): scap-security-guide-0.1.57-5.el8.noarch How reproducible: Everytime Steps to Reproduce: 1. Perform oscap scan from RHEL 8.5 system with new version of scap-security-guide to a RHEL 7.9 system, you can use the oscap-ssh command for this. 2. We see in the scan result , the requirement is /tmp should be located on separate partition while not /var/tmp. However the mount option are being checked even against /var/tmp ~~~ # oscap-ssh root@rhel7 <PORT> xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ...[output skipped]... Title Ensure /tmp Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_tmp Ident CCE-82053-0 Result fail ...[output skipped]... Title Add nodev Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev Ident CCE-80149-8 Result fail Title Add noexec Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec Ident CCE-80150-6 Result fail Title Add nosuid Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid Ident CCE-80151-4 Result fail Title Add nodev Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev Ident CCE-81052-3 Result fail Title Add noexec Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec Ident CCE-82150-4 Result fail Title Add nosuid Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid Ident CCE-82153-8 Result fail ...[output skipped]... ~~~ Actual results: Oscap rule fail for /var/tmp mount option since /var/tmp is not a necessary partition for this policy and hence was not created. Expected results: Policy should either be also checking for /var/tmp to be located on separate partition or not have mount option requirement for it. Additional info: CIS Server L2 has required for /var/tmp on separate partition.
Hello Ameya, the rule should stay in the profile, the CIS benchmark says so. Although the requirement for /var/tmp partition is in Level 2 profile, possible mount options are already in Level 1 profile. But the rule should be smart and check if the partition actually exists. If it does not, it will show as "not applicable". This is not happening now and I think we can implement that. Is this acceptable for the customer? Here is excerpt from the CIS RHEL7 benchmark: ### 1.1.12 Ensure /var/tmp partition includes the noexec option (Automated) Profile Applicability: Level 1 - Server Level 1 - Workstation Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp. Audit: If a /var/tmp partition exists, run the following command to verify that the noexec option is set: # findmnt -n /var/tmp | grep -Ev '\bnoexec\b' Nothing should be returned Remediation: For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp ###
https://github.com/ComplianceAsCode/content/pull/9204
There are now more PRs that address this BZ: https://github.com/ComplianceAsCode/content/pull/9204 https://github.com/ComplianceAsCode/content/pull/9324
This PR was also required https://github.com/ComplianceAsCode/content/pull/9339
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7563