2130185 – Offline remediation of fstab permissions fails in Image Builder

Bug 2130185 - Offline remediation of fstab permissions fails in Image Builder

Summary: Offline remediation of fstab permissions fails in Image Builder

Keywords:
Status:	MODIFIED
Alias:	None
Deadline:	2023-08-28
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:	https://github.com/ComplianceAsCode/c...
Whiteboard:
Depends On:
Blocks:	2228448 2228476
TreeView+	depends on / blocked

Reported:	2022-09-27 12:38 UTC by Evgeny Kolesnikov
Modified:	2023-08-17 14:12 UTC (History)
CC List:	9 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Bug Fix
Doc Text:	.Mount point options configuration in Image Builder Rules that configure mount point options have been reworked in a way that they now are effective also when they are used for hardening images when building an operating system image in Image Builder. As a result, users of Image Builder can now build images with partition configuration aligned with the security profile of their choice.
Clone Of:
Clones:	2228448 2228476 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-135016	0	None	None	None	2022-09-27 12:52:16 UTC

Description Evgeny Kolesnikov 2022-09-27 12:38:21 UTC

Description of problem:
When remediating any of the Restrict Partition Mount Options the remediation fails in offline mode i.e. xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec. The remediation script checks the /proc/mounts which is unavailable even if the fstab file has been created.

Version-Release number of selected component (if applicable):
0.1.63

How reproducible:

Steps to Reproduce:
1. Configure a blueprint with moutnpoint options and oscap configuration
2. Build image with osbuild-composer

Actual results:
Remediation does not run at all for this since the evaluation result is unknown.

Expected results:
Offline remediation of the /etc/fstab file

Additional info:

I: oscap: Evaluating definition 'oval:ssg-mount_option_home_nodev:def:1': Add nodev Option to /home.
I: oscap: Evaluating partition test 'oval:ssg-test_home_partition_nodev_optional_yes:tst:1': nodev on /home optional yes.
I: oscap: Querying partition object 'oval:ssg-object_home_partition_nodev_optional_yes:obj:1', flags: 0.
I: oscap: Creating new syschar for partition_object 'oval:ssg-object_home_partition_nodev_optional_yes:obj:1'.
I: oscap: I will run partition_probe_main:
E: oscap: Can't open /proc/mounts: errno=2, No such file or directory.
W: oscap: Can't receive message: 125, Operation canceled.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-test_home_partition_nodev_optional_yes:tst:1' evaluated as (null).

Upstream issue: https://github.com/ComplianceAsCode/content/issues/9342

Comment 2 Evgeny Kolesnikov 2023-04-25 10:32:20 UTC

The way we evaluate and remediate mount point options in CaC content
has been changed to accommodate 'offline' systems. The content would
now properly detect mount point configuration and change it
accordingly in the IB pipeline environment.

https://github.com/ComplianceAsCode/content/pull/10200

Comment 3 Christophe Besson 2023-07-20 12:10:47 UTC

One of our customers is experiencing the issue while applying CIS Level 1 Server while using osbuild-composer for RHEL 8.8 as well as RHEL 9.2.
It also has to be fixed for RHEL 9.

Setting the severity as High as we have no workaround to suggest.

Note You need to log in before you can comment on or make changes to this bug.