2193169 – journald config parameters not set up correctly after oscap remediation

Bug 2193169 - journald config parameters not set up correctly after oscap remediation

Summary: journald config parameters not set up correctly after oscap remediation

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Černý
QA Contact:	Milan Lysonek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2228439 2228440
TreeView+	depends on / blocked

Reported:	2023-05-04 14:29 UTC by Julia Schindler
Modified:	2023-08-16 08:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el9
Doc Type:	Bug Fix
Doc Text:	.Rules related to journald configuration are fixed Rules journald_compress, journald_forward_to_syslog and journald_storage previously contained a bug in the remediation script which caused that extra quotes were added to the respective configuration options within `/etc/systemd/journald.conf`. Consequently, this caused that the `journald` failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. That caused false pass results in the OpenSCAP results. The rules and remediations scripts have been fixed to not add the extra quotes and therefore produce a valid configuration for the journald.
Clone Of:
Clones:	2228439 2228440 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-156429	0	None	None	None	2023-05-04 14:30:48 UTC

Description Julia Schindler 2023-05-04 14:29:37 UTC

Description of problem:

When doing a scap remediation with the CIS L2 server profile, the two rules "Ensure journald is configured to compress large log files" and "Ensure journald is configured to write log files to persistent disk" set up the following 2 entries in /etc/systemd/journald.conf:
Storage='persistent'
Compress='yes'

logs show
... systemd-journald[767]:/etc/systemd/journald.conf:18:Failed to parse storage setting, ignoring: 'persistent'
...  systemd-journald[767]:/etc/systemd/journald.conf:20:Failed to parse Compress= value, ignoring: 'yes'

journals are not stored persistently.


Version-Release number of selected component (if applicable):
RHEL9.1

How reproducible: always

Steps to Reproduce:
1. run a oscap xccdf eval --remediate with CIS L2 server profile when the mentioned settings are not already configured

Actual results:

/etc/systemd/journald.conf contains
Storage='persistent'
Compress='yes'

and journals are not stored persistently.

Expected results:

/etc/systemd/journald.conf contains
Storage=persistent
Compress=yes

and journals are stored persistently.

Comment 1 Jan Černý 2023-05-05 09:51:22 UTC

analysis:
Problem is present also in current upstream as of 2023-05-05 as of head 68e93c73061f4abdcbdc1f870d1b608d23239b9b.

The problem is excess quotes in OVAL, Bash and Ansible in rules journald_storage and journald_compress.

This BZ is related to https://bugzilla.redhat.com/show_bug.cgi?id=2169857 which is the same problem but only in rule journald_storage and is for RHEL 9.

A possible fix can be to set "no_quotes: true" in the rule.yml in rules journald_storage and journald_compress. We need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.

Switching from openscap to correct component.

Comment 2 Jan Černý 2023-07-11 07:32:36 UTC

There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.
A test for rule journald_storage has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.
A test for rule journald_compress has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10818.

Comment 3 Jan Černý 2023-07-11 15:08:12 UTC

PRs https://github.com/ComplianceAsCode/content/pull/10790, https://github.com/ComplianceAsCode/content/pull/10817, and  https://github.com/ComplianceAsCode/content/pull/10818 have been merged upstream.

Note You need to log in before you can comment on or make changes to this bug.