USBGuard rules fail after remediation

jan-cerny commented 1 year ago

Description of problem:

Rules service_usbguard_enabled and usbguard_generate_policy fail in the Automatus profile mode in the STIG GUI profile when the Ansible remediations are used.

This problem has been discovered in the downstream test case /CoreOS/scap-security-guide/Sanity/test-profiles-ansible-remediation PCI-DSS, OSPP, STIG_GUI (GUI).

SCAP Security Guide Version:

Current upstream stabilization-v0.1.68 branch as of 2023-06-02 as of HEAD b630293.

Operating System Version:

RHEL 9.2.0

Steps to Reproduce:

python3 /tmp/tmp.QYu1WHUudB/rpmbuild/BUILD/scap-security-guide-0.1.68/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel9-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel9-xccdf.xml --mode online --remediate-using ansible xccdf_org.ssgproject.content_profile_stig_gui

Actual Results:

Rules not passing after remediation: xccdf_org.ssgproject.content_rule_service_usbguard_enabled - fail xccdf_org.ssgproject.content_rule_usbguard_generate_policy - fail

Expected Results:

all rules are passed or the fail is waived

Additional Information/Debugging Steps:

no

marcusburghardt commented 1 year ago

The usbguard_generate_policy rule is also failing in master branch as of 2023-05-03.

I found this error with the Ansible remediation

TASK [Create USBGuard Policy configuration] ************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["usbguard", "generate-policy"], "delta": "0:00:00.006404", "end": "2023-06-03 05:38:29.547814", "msg": "non-zero return code", "rc": 127, "start": "2023-06-03 05:38:29.541410", "stderr": "usbguard: error while loading shared libraries: libusbguard.so.1: cannot open shared object file: Operation not permitted", "stderr_lines": ["usbguard: error while loading shared libraries: libusbguard.so.1: cannot open shared object file: Operation not permitted"], "stdout": "", "stdout_lines": []}

PLAY RECAP *********************************************************************
localhost                  : ok=3160 changed=510  unreachable=0    failed=1    skipped=1226 rescued=2    ignored=1

jan-cerny commented 1 year ago

In Marcus's case it's the /CoreOS/scap-security-guide/Sanity/ansible-machine-hardening STIG.

jan-cerny commented 1 year ago

I my case (the Automatus profile mode as desribed in the issue description), an error has happened in the Gather the package facts sub-task in the Enable service usbguard task block. The error is fatal, so the Ansible Playbook terminates prematurely. Therefore, it doesn't complete the USBGuard service enablement and it doesn't execute the subseqent tasks at all.

Below I paste a snippet from the log file xccdf_org.ssgproject.content_profile_stig_gui-remediation.verbose.log, but I feel confused by the error messages there.

TASK [Gather the package facts] ************************************************
task path: /tmp/tmp.QYu1WHUudB/logs/profile-custom-2023-06-02-2116/xccdf_org.ssgproject.content_profile_stig_gui.yml:  49907
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o    PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o              'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'echo ~root && sleep   0'"'"''
<192.168.122.81> (0, b'/root\n', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open  shared object file: Operation not permitted\n')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o    PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o              'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'( umask 77 && mkdir - p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-               143614565046805 `" && echo ansible-tmp-1685759938.8690522-84176-143614565046805="` echo /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805 `" ) && sleep 0'"'"''
<192.168.122.81> (0, b'ansible-tmp-1685759938.8690522-84176-143614565046805=/root/.ansible/tmp/ansible-tmp-1685759938. 8690522-84176-143614565046805\n', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\n')
Using module file /usr/lib/python3.11/site-packages/ansible/modules/package_facts.py
<192.168.122.81> PUT /root/.ansible/tmp/ansible-local-58027hl5ztvd9/tmpfyhxau1_ TO /root/.ansible/tmp/ansible-tmp-     1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py
<192.168.122.81> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o                                 KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o        PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/.ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' '[192.168.122.81]'
<192.168.122.81> (0, b'sftp> put /root/.ansible/tmp/ansible-local-58027hl5ztvd9/tmpfyhxau1_ /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py\n', b'')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o    PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o              'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'chmod u+x /root/.     ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/ /root/.ansible/tmp/ansible-tmp-1685759938.8690522-   84176-143614565046805/AnsiballZ_package_facts.py && sleep 0'"'"''
<192.168.122.81> (0, b'', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared  object file: Operation not permitted\n')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o    PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o              'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' -tt 192.168.122.81 '/bin/sh -c '"'"'/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py && sleep 0'"'"''
<192.168.122.81> (127, b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared     object file: Operation not permitted\r\n/usr/bin/python3: error while loading shared libraries: libpython3.9.so.1.0:   cannot open shared object file: Operation not permitted\r\n', b'Shared connection to 192.168.122.81 closed.\r\n')
<192.168.122.81> Failed to connect to the host via ssh: Shared connection to 192.168.122.81 closed.
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o    PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o              'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'rm -f -r /root/.      ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.122.81> (0, b'', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared  object file: Operation not permitted\n')
fatal: [192.168.122.81]: FAILED! => {
    "changed": false,
    "module_stderr": "Shared connection to 192.168.122.81 closed.\r\n",
    "module_stdout": "flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\r\n/usr/bin/python3: error while loading shared libraries: libpython3.9.so.1.0: cannot   open shared object file: Operation not permitted\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 127
}

PLAY RECAP *********************************************************************
192.168.122.81             : ok=3228 changed=542  unreachable=0    failed=1    skipped=1151 rescued=2    ignored=1

(it's from the very end of the log file)

mildas commented 1 year ago

Are we touching permissions of shared libraries? But it's strange it's not 100% reproducible - as /CoreOS/scap-security-guide/Sanity/ansible-machine-hardening STIG ran twice, in one run it failed but in the other one it passed. It seems as it's environment related.

jan-cerny commented 1 year ago

I have reported this as a bug https://bugzilla.redhat.com/show_bug.cgi?id=2215932