Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionJan Pazdziora (Red Hat)
2022-07-25 09:38:38 UTC
Description of problem:
The OSPP SCAP profile has the following rules related to partitions and their mount options:
- partition_for_home
- mount_option_home_nodev
- mount_option_home_nosuid
- partition_for_var
- mount_option_var_nodev
- partition_for_var_log
- mount_option_var_log_nodev
- mount_option_var_log_nosuid
- mount_option_var_log_noexec
- partition_for_var_log_audit
- mount_option_var_log_audit_nodev
- mount_option_var_log_audit_nosuid
- mount_option_var_log_audit_noexec
- partition_for_var_tmp
- mount_option_var_tmp_nodev
- mount_option_var_tmp_noexec
- mount_option_var_tmp_nosuid
- no rule for /boot but
- mount_option_boot_nodev
- mount_option_boot_nosuid
- no rule for /tmp but
- mount_option_tmp_nodev
- mount_option_tmp_noexec
- mount_option_tmp_nosuid
- no rule for /dev/shm but
- mount_option_dev_shm_nodev
- mount_option_dev_shm_noexec
- mount_option_dev_shm_nosuid
- mount_option_nodev_nonroot_local_partitions
Except for partition_for_var_log_audit which references FMT_SMF_EXT.1 (for its Configure local audit storage capacity) there are no OSPP references in those rules.
Please drop any drop any partition_for_* and mount_option_* rules except for *_var_log_audit_* from the RHEL 9 OSPP SCAP profile. If mount_option_nodev_nonroot_local_partitions is now the preferred way of ensuring nodev in the profiles, it's OK to keep it instead of mount_option_var_log_audit_nodev.
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.60-6.el9_0.noarch
How reproducible:
Deterministic.
Steps to Reproduce:
1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml | grep -E 'partition_for_|mount_option_'
Actual results:
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
Rule xccdf_org.ssgproject.content_rule_partition_for_home
Rule xccdf_org.ssgproject.content_rule_partition_for_var
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Rule xccdf_org.ssgproject.content_rule_partition_for_var_tmp
Rule xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_home_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Rule xccdf_org.ssgproject.content_rule_mount_option_var_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Expected results:
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Rule xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
[ or Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev ]
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
There should be one of mount_option_nodev_nonroot_local_partitions, mount_option_var_log_audit_nodev.
Additional info:
Hello,
so Idecided to leave there only following rules:
- partition_for_var_log_audit
- mount_option_var_log_audit_nodev
- mount_option_var_log_audit_nosuid
- mount_option_var_log_audit_noexec
The mount_option rules are lacking ospp reference. Do you want also FMT_SMF_EXT.1 to be set as ospp reference for them?
Comment 2Jan Pazdziora (Red Hat)
2022-07-25 13:46:51 UTC
OK about mount_option_var_log_audit_nodev.
No, we don't need the FMT_SMF_EXT.1 reference there, we treat those mount options as reasonable security for that separate partition but we don't have them rooted in that (or other) specific SFR.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:8131