search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.2k stars 696 forks source link

mount_option_nodev_nonroot_local_partitions reported as failing after scan of IB created image #11996

Closed vojtapolasek closed 4 months ago

vojtapolasek commented 5 months ago

Description of problem:

When provisioning system with Imagebuilder and hardening with CUI profile, the rule mount_option_nodev_nonroot_local_partitions is reported as fail in the final scan.

SCAP Security Guide Version:

master as of 7425c4e823d89eea873f522e6b0be93d991b5afd

Operating System Version:

RHEL 8

Steps to Reproduce:

Perform hardening of the system with Imagebuilder. Some steps might be here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/composing_a_customized_rhel_system_image/assembly_creating-pre-hardened-images-with-image-builder-openscap-integration_composing-a-customized-rhel-system-image

Actual Results:

The rule is marked as "pass" during initial scan. But then the remediation seems to be applied. And in the final scan the rule is reported as "fail". The mount point which causes the fail is /boot/efi.

Expected Results:

The rule is marked as "pass".

Additional Information/Debugging Steps:

Due to the problem being /boot/efi, it might be caused by Imagebuilder when composing the image.int

mildas commented 5 months ago

@evgenyz Any updates? If you have done some investigation and reported downstream issue on IB side, it's enough. In such case, send me link to the issue, I will update waivers and then we can label this issue as blocked.

evgenyz commented 4 months ago

So, to add more context to the problem.

OVAL for rule mount_option_nodev_nonroot_local_partitions is not offline-aware.

The sate of the guest system before remediation:

/etc/fstab
UUID=6abdfd03-0ebf-4b11-807d-a083897ba363   /   xfs defaults    0   0
UUID=c2ea016c-ccca-46c9-b0c2-dc4090ae4751   /boot   xfs defaults    0   0
UUID=66b79923-c687-4a97-8681-3cee2ea7b690   /home   xfs defaults    0   0
UUID=9fc1eba9-a899-439a-9853-284276bec59e   /var    xfs defaults    0   0
UUID=e45fb4ac-c4fd-4405-aa1a-4ee22210532e   /var/log    xfs defaults    0   0
UUID=5fbc6dc2-caf7-443c-a932-0ed822e35733   /var/log/audit  xfs defaults    0   0
UUID=1085cf7c-07c7-4760-bd5e-f0716b00ad7f   /var/tmp    xfs defaults    0   0
UUID=7B77-95E7  /boot/efi   vfat    defaults,uid=0,gid=0,umask=077,shortname=winnt  0   2
mount
tmpfs on / type tmpfs (rw,nosuid,nodev,relatime,seclabel)
/dev/mapper/rhel_rhel82-root on /boot type xfs (ro,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rhel_rhel82-root on /usr type xfs (ro,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
none on /dev type tmpfs (rw,nosuid,relatime,seclabel)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755)
/dev/mapper/rhel_rhel82-root on /var type xfs (rw,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,blkio)
...
pstore on /sys/fs/pstore type pstore (ro,nosuid,nodev,noexec,relatime,seclabel)
bpf on /sys/fs/bpf type bpf (ro,nosuid,nodev,noexec,relatime,mode=700)
none on /sys/kernel/tracing type tracefs (ro,nosuid,nodev,relatime,seclabel)
configfs on /sys/kernel/config type configfs (ro,nosuid,nodev,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (ro,nosuid,nodev,relatime)
debugfs on /sys/kernel/debug type debugfs (ro,nosuid,nodev,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (ro,nosuid,nodev,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (ro,nosuid,nodev,relatime)
/dev/mapper/rhel_rhel82-root on /etc/selinux/targeted/contexts type xfs /dev/mapper/rhel_rhel82-root on /run/osbuild/api/arguments type xfs (ro,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
...
tmpfs on /run/osbuild/api/osbuild type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/osbuild/api/remoteloop type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/mapper/rhel_rhel82-root on /run/osbuild/runner/org.osbuild.rhel82 type xfs (ro,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
none on /run/osbuild/tree/dev type tmpfs (rw,nosuid,relatime,seclabel)
tmpfs on /run/osbuild/tree/dev/shm type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755)
proc on /run/osbuild/tree/proc type proc (rw,nosuid,nodev,noexec,relatime)
...
/dev/mapper/rhel_rhel82-root on /run/osbuild/tree/proc/cmdline type xfs (ro,nosuid,nodev,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

After:

/etc/fstab
UUID=6abdfd03-0ebf-4b11-807d-a083897ba363   /   xfs defaults    0   0
UUID=c2ea016c-ccca-46c9-b0c2-dc4090ae4751   /boot   xfs defaults,nodev,nosuid   0   0
UUID=66b79923-c687-4a97-8681-3cee2ea7b690   /home   xfs defaults,nodev,nosuid   0   0
UUID=9fc1eba9-a899-439a-9853-284276bec59e   /var    xfs defaults,nodev  0   0
UUID=e45fb4ac-c4fd-4405-aa1a-4ee22210532e   /var/log    xfs defaults,nodev,noexec,nosuid    0   0
UUID=5fbc6dc2-caf7-443c-a932-0ed822e35733   /var/log/audit  xfs defaults,nodev,noexec,nosuid    0   0
UUID=1085cf7c-07c7-4760-bd5e-f0716b00ad7f   /var/tmp    xfs defaults,nodev,noexec,nosuid    0   0
UUID=7B77-95E7  /boot/efi   vfat    defaults,uid=0,gid=0,umask=077,shortname=winnt  0   2

All local filesystems are remediated BEFORE the rule is triggered (via other rules) and /boot/efi is not mounted (obviously).

This rule is the only one among other mount options related rules that relies solely on online mounts information. We should modify it to be like others, which can work with data from /etc/fstab. Possible resolution: make the rule offline-aware.

evgenyz commented 4 months ago

https://issues.redhat.com/browse/RHEL-45018

mildas commented 4 months ago

Now, as the RHEL issue is there, no need to have github issue for tracking purposes. Closing this one to not have it on two places