RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2032403 - openscap cis_server_level1 benchmark list mount option requirement for /var/tmp but does not require separate /var/tmp
Summary: openscap cis_server_level1 benchmark list mount option requirement for /var/t...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.5
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: Matus Marhefka
Jan Fiala
Depends On:
Blocks: 2117510 2117511
TreeView+ depends on / blocked
Reported: 2021-12-14 12:41 UTC by Ameya Patil
Modified: 2022-11-08 10:33 UTC (History)
8 users (show)

Fixed In Version: scap-security-guide-0.1.63-3.el8
Doc Type: Enhancement
Doc Text:
.SSG rules for mount options no longer fail incorrectly if the `/tmp` and `/var/tmp` partitions do not exist Previously, the SCAP Security Guide (SSG) rules for mount options of `/tmp` and `/var/tmp` partitions were incorrectly reporting the `fail` result if such partitions did not exist on the system. This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when the partition exists and the system does not have correct mount options. If these mount options are essential for a particular policy, a rule that prescribes the existence of such partitions should be present in the profile, and that one rule should fail.
Clone Of:
: 2117510 2117511 (view as bug list)
Last Closed: 2022-11-08 09:39:56 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-105742 0 None None None 2021-12-14 12:44:13 UTC
Red Hat Product Errata RHBA-2022:7563 0 None None None 2022-11-08 09:40:30 UTC

Description Ameya Patil 2021-12-14 12:41:17 UTC
Description of problem:

The new RHEL 8.5 security guide has the updated CIS profile which include Level 1 and Level 2 for servers for RHEL 7

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml  | grep -i cis
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2

While performing SCAP scan from RHEL 8.5 system to RHEL 7.9 using oscap-sshd.

The issue is that the Level 1 server profile has entries for separate /tmp partition but not the separate /var/tmp
But Level 1 server profile also has rule for /var/tmp should have mount options of nosuid,noexec,nodev
Since separate partition is not a requirement /var/tmp should not be requiring mount options like these.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Perform oscap scan from RHEL 8.5 system with new version of scap-security-guide to a RHEL 7.9 system, you can use the oscap-ssh command for this.

2. We see in the scan result , the requirement is /tmp should be located on separate partition while not /var/tmp.
  However the mount option are being checked even against /var/tmp

# oscap-ssh root@rhel7 <PORT> xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1  /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

...[output skipped]...

Title   Ensure /tmp Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_tmp
Ident   CCE-82053-0
Result  fail

...[output skipped]...

Title   Add nodev Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Ident   CCE-80149-8
Result  fail

Title   Add noexec Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Ident   CCE-80150-6
Result  fail

Title   Add nosuid Option to /tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Ident   CCE-80151-4
Result  fail

Title   Add nodev Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Ident   CCE-81052-3
Result  fail

Title   Add noexec Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Ident   CCE-82150-4
Result  fail

Title   Add nosuid Option to /var/tmp
Rule    xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Ident   CCE-82153-8
Result  fail

...[output skipped]...


Actual results:
Oscap rule fail for /var/tmp mount option since /var/tmp is not a necessary partition for this policy and hence was not created.

Expected results:
Policy should either be also checking for /var/tmp to be located on separate partition or not have mount option requirement for it.

Additional info:
CIS Server L2 has required for /var/tmp on separate partition.

Comment 2 Vojtech Polasek 2021-12-16 10:11:15 UTC
Hello Ameya,
the rule should stay in the profile, the CIS benchmark says so. Although the requirement for /var/tmp partition is in Level 2 profile, possible mount options are already in Level 1 profile.
But the rule should be smart and check if the partition actually exists. If it does not, it will show as "not applicable". This is not happening now and I think we can implement that.
Is this acceptable for the customer?
Here is excerpt from the CIS RHEL7 benchmark:
1.1.12 Ensure /var/tmp partition includes the noexec option (Automated)
Profile Applicability:
  Level 1 - Server
  Level 1 - Workstation
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp.
If a /var/tmp partition exists, run the following command to verify that the noexec option is set:
# findmnt -n /var/tmp | grep -Ev '\bnoexec\b'

Nothing should be returned
For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information.
Run the following command to remount /var/tmp :
# mount -o remount,noexec /var/tmp

Comment 11 Matěj Týč 2022-08-10 14:02:19 UTC
There are now more PRs that address this BZ:


Comment 21 Watson Yuuma Sato 2022-08-17 15:16:00 UTC
This PR was also required https://github.com/ComplianceAsCode/content/pull/9339

Comment 27 errata-xmlrpc 2022-11-08 09:39:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.