Bug 2223471 - incorrect remediation description for xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading in xccdf_org.ssgproject.content_profile_ism_o
Summary: incorrect remediation description for xccdf_org.ssgproject.content_rule_audit...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: scap-security-guide
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-18 02:58 UTC by Daniel Reynolds
Modified: 2023-08-17 16:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
oscap html report (3.27 MB, text/html)
2023-07-18 02:58 UTC, Daniel Reynolds 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHEL-1489 0 None None None 2023-08-17 16:01:12 UTC
Red Hat Issue Tracker RHELPLAN-162509 0 None None None 2023-07-18 03:00:56 UTC

Description Daniel Reynolds 2023-07-18 02:58:10 UTC 
Created attachment 1976292 [details]
oscap html report

Description of problem:

In the ISM openscap benchmark xccdf_org.ssgproject.content_profile_ism_o, the rule "Ensure auditd Collects Information on Kernel Module Loading and Unloading" (xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading) describes the remediation as:

~~~
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
~~~

This is incorrect, the actual remediation is:

~~~
 -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
 -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
~~~

Note, --remediate option correctly implements the fix.  This is an error for the report generated.


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-1.el9_1


How reproducible:
Always.

Steps to Reproduce:
1. Run a security scan
~~~
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ism_o --report ~/scan-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
~~~

2. Open up 'scan-report.html', click on the link 'Record Information on Kernel Modules Loading and Unloading 1x fail'

Actual results:

~~~
Description	

To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
  -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules

The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
~~~

Expected results:

Something similar to,

~~~
Description	

To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
  -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
  -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules

The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
~~~
Note You need to log in before you can comment on or make changes to this bug.