2169857 – Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2169857 - Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file

Summary: Applying CIS benchmark fix cause systemd-journald to unable to parse configur...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Černý
QA Contact:	Milan Lysonek
Docs Contact:	Petr Hybl
URL:
Whiteboard:
Depends On:
Blocks:	2228437 2228438
TreeView+	depends on / blocked

Reported:	2023-02-14 20:02 UTC by Adam Ibrahim
Modified:	2023-11-14 17:09 UTC (History)
CC List:	12 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Bug Fix
Doc Text:	.SCAP `journald` rules no longer remediate to invalid configuration Previously, the SCAP Security Guide rules `journald_compress`, `journald_forward_to_syslog`, and `journald_storage` contained a bug in the remediation script which added extra quotes to the respective options within the `/etc/systemd/journald.conf` configuration file. Consequently, the `journald` service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective and OpenSCAP reported false pass results. With this update, the rules and remediations scripts have been fixed to not add the extra quotes. The rule now create a valid configuration for `journald`.
Clone Of:
Clones:	2228437 2228438 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:36:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-148663	0	None	None	None	2023-02-14 20:05:55 UTC
Red Hat Product Errata	RHBA-2023:7056	0	None	None	None	2023-11-14 15:37:31 UTC

Description Adam Ibrahim 2023-02-14 20:02:58 UTC

Description of problem:
Applying fix provided by openscap to ensure journald is configured to write log files to persistent disk, causes systemd-journald to unable parse configuration. 

For example, to enable persistent journal, the fix modifies /etc/systemd/journald.conf to have the following value:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

systemd-journald does not recognize quotes on /etc/systemd/journald.conf file, it ignores it

How reproducible:
Install openscap-scanner scap-security-guide

Steps to Reproduce:
1. Ensure server is not using with persistent journal 
 # grep -i storage /etc/systemd/journald.conf 
#Storage=auto

2. Generate remediation shell script or ansible playbook
Bash script:
 # oscap xccdf generate fix --fix-type bash --output ScriptToRemediate.sh --result-id "" scan_results.xml
-------
Ansible Playbook:
 # oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml

3. Apply fix 
 # ./ScriptToRemediate.sh

Or 
 # ansible-playbook PlaybookToRemediate.yml

4- restart systemd-journald service to pick up new configuration


Actual results:
systemd-journald unable to parse 'Storage' value due to quotes:

# grep Storage /etc/systemd/journald.conf 
Storage='persistent'
#Storage=auto

# service systemd-journald status
systemd-journald[30231]: /etc/systemd/journald.conf:18: Failed to parse storage setting, ignori>
systemd-journald[30231]: Journal started
systemd-journald[30231]: Runtime Journal \(/run/log/journal/b1e89bbf159b4603839b0dd4b439d941) is 3.1M, max 25.3M, 22.1M free.


Expected results:
# grep Storage /etc/systemd/journald.conf 
Storage=persistent
#Storage=auto

Additional info:
snippet of SHELL scrip:
~~~
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Storage', insert at
    # the end of the file.
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"   <=
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"     <=
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
~~~

This same issue is observed on RHEL 9, let me know if bugzilla needed to be file for it. I noticed on RHEL 9, CIS benchmark is noted as experimental:

# oscap info --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 

Description: This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the CIS benchmark for RHEL9, because this one was not available at time of the release.

Comment 1 Jan Černý 2023-02-20 15:47:30 UTC

analysis:

The issue is reproducible with scap-security-guide-0.1.63-5.el8.noarch and is also present in current upstream as of 2023-02-20 as of HEAD 9a2ca6d9d4c41c5c5b6fe9a20a276271b0eb3db2.

The problem is excess quotes in OVAL, Bash and Ansible in rule journald_storage.

A possible fix can be to set "no_quotes: true" in the rule.yml in rule journald_storage.

Switching from openscap to correct component.

Comment 2 Jan Černý 2023-05-05 09:52:59 UTC

There is a similar BZ for RHEL 8 with a broader scope https://bugzilla.redhat.com/show_bug.cgi?id=2193169. When fixing, you will need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.

Comment 3 Jan Černý 2023-07-10 15:18:03 UTC

There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.

Comment 4 Jan Černý 2023-07-11 07:11:30 UTC

A test for this BZ has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.

Comment 5 Jan Černý 2023-07-11 15:10:52 UTC

PRs https://github.com/ComplianceAsCode/content/pull/10790 and https://github.com/ComplianceAsCode/content/pull/10817 have been merged upstream.

Comment 22 errata-xmlrpc 2023-11-14 15:36:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056

Note You need to log in before you can comment on or make changes to this bug.