RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2193169 - journald config parameters not set up correctly after oscap remediation
Summary: journald config parameters not set up correctly after oscap remediation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: scap-security-guide
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Milan Lysonek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 2228439 2228440
TreeView+ depends on / blocked
 
Reported: 2023-05-04 14:29 UTC by Julia Schindler
Modified: 2024-01-08 11:35 UTC (History)
12 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el9
Doc Type: Bug Fix
Doc Text:
.Rules related to `journald` configuration no longer add extra quotes Previously, the SCAP Security Guide rules `journald_compress`, `journald_forward_to_syslog`, and `journald_storage` previously contained a bug in the remediation script which caused adding extra quotes to the configuration options in the `/etc/systemd/journald.conf` configuration file. Consequently, the `journald` system service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. This caused false `pass` results in OpenSCAP scans. With this update, the rules and remediations scripts no longer add the extra quotes. As a result, these rules now produce a valid configuration for `journald`.
Clone Of:
: 2228439 2228440 (view as bug list)
Environment:
Last Closed: 2023-11-07 08:37:02 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-156429 0 None None None 2023-05-04 14:30:48 UTC
Red Hat Product Errata RHBA-2023:6552 0 None None None 2023-11-07 08:37:35 UTC

Description Julia Schindler 2023-05-04 14:29:37 UTC 
Description of problem:

When doing a scap remediation with the CIS L2 server profile, the two rules "Ensure journald is configured to compress large log files" and "Ensure journald is configured to write log files to persistent disk" set up the following 2 entries in /etc/systemd/journald.conf:
Storage='persistent'
Compress='yes'

logs show
... systemd-journald[767]:/etc/systemd/journald.conf:18:Failed to parse storage setting, ignoring: 'persistent'
...  systemd-journald[767]:/etc/systemd/journald.conf:20:Failed to parse Compress= value, ignoring: 'yes'

journals are not stored persistently.


Version-Release number of selected component (if applicable):
RHEL9.1

How reproducible: always

Steps to Reproduce:
1. run a oscap xccdf eval --remediate with CIS L2 server profile when the mentioned settings are not already configured

Actual results:

/etc/systemd/journald.conf contains
Storage='persistent'
Compress='yes'

and journals are not stored persistently.

Expected results:

/etc/systemd/journald.conf contains
Storage=persistent
Compress=yes

and journals are stored persistently.
Comment 1 Jan Černý 2023-05-05 09:51:22 UTC 
analysis:
Problem is present also in current upstream as of 2023-05-05 as of head 68e93c73061f4abdcbdc1f870d1b608d23239b9b.

The problem is excess quotes in OVAL, Bash and Ansible in rules journald_storage and journald_compress.

This BZ is related to https://bugzilla.redhat.com/show_bug.cgi?id=2169857 which is the same problem but only in rule journald_storage and is for RHEL 9.

A possible fix can be to set "no_quotes: true" in the rule.yml in rules journald_storage and journald_compress. We need to examine all other similar rules that configure journald and/or use the shell_lineinfile template.

Switching from openscap to correct component.
Comment 2 Jan Černý 2023-07-11 07:32:36 UTC 
There exists an already merged PR https://github.com/ComplianceAsCode/content/pull/10790 which implements the proposed solution.
A test for rule journald_storage has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10817.
A test for rule journald_compress has been submitted to upstream for a review in https://github.com/ComplianceAsCode/content/pull/10818.
Comment 3 Jan Černý 2023-07-11 15:08:12 UTC 
PRs https://github.com/ComplianceAsCode/content/pull/10790, https://github.com/ComplianceAsCode/content/pull/10817, and  https://github.com/ComplianceAsCode/content/pull/10818 have been merged upstream.
Comment 22 errata-xmlrpc 2023-11-07 08:37:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6552
Note You need to log in before you can comment on or make changes to this bug.