Bug 2083109 - issues with xccdf_org.ssgproject.content_rule_sudo_custom_logfile rule and remediation
Summary: issues with xccdf_org.ssgproject.content_rule_sudo_custom_logfile rule and re...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.5
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Milan Lysonek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-09 10:19 UTC by Welterlen Benoit
Modified: 2022-11-08 10:33 UTC (History)
7 users (show)

Fixed In Version: scap-security-guide-0.1.63-2.el8
Doc Type: Bug Fix
Doc Text:
.Remediation of `sudo_custom_logfile` works for custom `sudo` log files Previously, remediation of the SCAP Security Guide rule `xccdf_org.ssgproject.content_sudo_custom_logfile` did not work for custom `sudo` log files with a different path than `/var/log/sudo.log`. With this update, the rule is fixed so that it can properly remediate if the system has a custom `sudo` log file that does not match the expected path.
Clone Of:
Environment:
Last Closed: 2022-11-08 09:40:01 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-121403 0 None None None 2022-05-09 10:29:46 UTC
Red Hat Product Errata RHBA-2022:7563 0 None None None 2022-11-08 09:40:17 UTC

Description Welterlen Benoit 2022-05-09 10:19:27 UTC
Description of problem:

Multiple issues:

- when /etc/sudoers file contains already a line with "Defaults logfile=" but not the default logfile=/var/log/sudo.log, the test fails 
=> then when the remediation is applied and a new line with default value is added:

~~~
Defaults logfile=/var/log/sudofile.log
Defaults logfile=/var/log/sudo.log
~~~

=> and then the test still fails, because only one entry is expected


- The test to check the validity of the line is broken, because "Defaults_fake logfile=/var/log/sudo.log" will pass


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. scap xccdf eval --verbose DEVEL  --verbose-log-file oval.log --rule xccdf_org.ssgproject.content_rule_sudo_custom_logfile --profile xccdf_org.ssgproject.content_profile_cis  --results scan_resultsAfterRemediation.xml --report scan_reportAfterRemediation.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
2. ansible-playbook -b -k -K --become-user root   --become-method 'sudo' -i localhost, PlaybookToRemediatesudo.yml |& tee PlaybookToRemediate.output
3.

Actual results:
- Fault positive test
- Wrond remediation which leads to fail test

Expected results:
- Good remediation
- Failed test if Defaults_fake is used

Additional info:
Thank you !

Comment 2 Jan Černý 2022-08-05 11:11:03 UTC
A pull request has been opened in upstream: https://github.com/ComplianceAsCode/content/pull/9299

Comment 3 Jan Černý 2022-08-05 13:50:03 UTC
https://github.com/ComplianceAsCode/content/pull/9299 has been merge to upstream

Comment 18 errata-xmlrpc 2022-11-08 09:40:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7563


Note You need to log in before you can comment on or make changes to this bug.