Bug 2169857 - Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file
Summary: Applying CIS benchmark fix cause systemd-journald to unable to parse configur...
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 2228437 2228438
TreeView+ depends on / blocked
 
Reported: 2023-02-14 20:02 UTC by Adam Ibrahim
Modified: 2023-08-14 11:27 UTC (History)
11 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el8
Doc Type: Bug Fix
Doc Text:
.Rules related to journald configuration are fixed Rules journald_compress, journald_forward_to_syslog and journald_storage previously contained a bug in the remediation script which caused that extra quotes were added to the respective configuration options within `/etc/systemd/journald.conf`. Consequently, this caused that the `journald` failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. That caused false pass results in the OpenSCAP results. The rules and remediations scripts have been fixed to not add the extra quotes and therefore produce a valid configuration for the journald.
Clone Of:
: 2228437 2228438 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-148663 0 None None None 2023-02-14 20:05:55 UTC

Description Adam Ibrahim 2023-02-14 20:02:58 UTC 
Description of problem:
Applying fix provided by openscap to ensure journald is configured to write log files to persistent disk, causes systemd-journald to unable parse configuration. 

For example, to enable persistent journal, the fix modifies /etc/systemd/journald.conf to have the following value:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

systemd-journald does not recognize quotes on /etc/systemd/journald.conf file, it ignores it

How reproducible:
Install openscap-scanner scap-security-guide

Steps to Reproduce:
1. Ensure server is not using with persistent journal 
 # grep -i storage /etc/systemd/journald.conf 
#Storage=auto

2. Generate remediation shell script or ansible playbook
Bash script:
 # oscap xccdf generate fix --fix-type bash --output ScriptToRemediate.sh --result-id "" scan_results.xml
-------
Ansible Playbook:
 # oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml

3. Apply fix 
 # ./ScriptToRemediate.sh

Or 
 # ansible-playbook PlaybookToRemediate.yml

4- restart systemd-journald service to pick up new configuration


Actual results:
systemd-journald unable to parse 'Storage' value due to quotes:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

# service systemd-journald status
systemd-journald[30231]: /etc/systemd/journald.conf:18: Failed to parse storage setting, ignori>
systemd-journald[30231]: Journal started
systemd-journald[30231]: Runtime Journal \(/run/log/journal/b1e89bbf159b4603839b0dd4b439d941) is 3.1M, max 25.3M, 22.1M free.


Expected results:
# grep Storage /etc/systemd/journald.conf 
Storage=persistent
#Storage=auto

Additional info:
snippet of SHELL scrip:
~~~
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Storage', insert at
    # the end of the file.
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"   <=
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"     <=
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
~~~

This same issue is observed on RHEL 9, let me know if bugzilla needed to be file for it. I noticed on RHEL 9, CIS benchmark is noted as experimental:

# oscap info --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 

Description: This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the CIS benchmark for RHEL9, because this one was not available at time of the release.
Comment 1 Jan Černý 2023-02-20 15:47:30 UTC 
analysis:

The issue is reproducible with scap-security-guide-0.1.63-5.el8.noarch and is also present in current upstream as of 2023-02-20 as of HEAD 9a2ca6d9d4c41c5c5b6fe9a20a276271b0eb3db2.

The problem is excess quotes in OVAL, Bash and Ansible in rule journald_storage.

A possible fix can be to set "no_quotes: true" in the rule.yml in rule journald_storage.

Switching from openscap to correct component.
Comment 2 Jan Černý 2023-05-05 09:52:59 UTC 
There is a similar BZ for RHEL 8 with a broader scope https://bugzilla.redhat.com/show_bug.cgi?id=2193169. When fixing, you will need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.
Comment 3 Jan Černý 2023-07-10 15:18:03 UTC 
There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.
Comment 4 Jan Černý 2023-07-11 07:11:30 UTC 
A test for this BZ has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.
Comment 5 Jan Černý 2023-07-11 15:10:52 UTC 
PRs https://github.com/ComplianceAsCode/content/pull/10790 and https://github.com/ComplianceAsCode/content/pull/10817 have been merged upstream.
Note You need to log in before you can comment on or make changes to this bug.