GNOME3 Screensaver Lock - Checks Error out

[OnceUponALoop]

Description of problem:

The following checks produce an error (not a failure) dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_lock_delay

SCAP Security Guide Version:

Git master 02/27 (bb897175d0695dd6b6ec434e727f66fb6eb13eea)

Operating System Version:

RHEL 7.4

Steps to Reproduce:

1. Fresh Installation
2. Run USGCB Gnome checks with remediation
3. Note results for both checks are 'error'

Actual Results:

[root@rh-test gnome]# oscap oval eval --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: error
Evaluation done.

Expected Results:

Should pass or fail instead of error

Addition Information/Debugging Steps:

Contents of /etc/dconf/db/local.d/10-scap-security-guide (no other file in local.d or local profile)

[org/gnome/desktop/screensaver]
lock-enabled=true
lock-delay=uint32 0

I was able to narrow down the failure

dconf_gnome_screensaver_lock_delay
      ----> test_screensaver_lock_delay
      ----> test_prevent_user_lock_delay
      ----> test_screensaver_lock_delay_setting (FAILURE)

I spent a bunch of time looking into this but couldn't resolve it. The pattern match does actually pull in the correct value but I think the issue is caused by the external variable var_screensaver_lock_delay unfortunately oscap doesn't log that value or success/failure of resolving it.

The var_screensaver_lock_delay doesn't get refined in the USGCB profile but it should still revert to it's default value defined in shared/xccdf/system/software/gnome.xml.

<Value id="var_screensaver_lock_delay" type="number" operator="equals">
<title>Screensaver Lock Delay</title>
<description>Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt</description>
<value>0</value>
<value selector="immediate">0</value>
<value selector="5_seconds">5</value>
<value selector="10_seconds">10</value>
</Value>

Not sure where to go from here so i'm passing the buck 😞

[redhatrises]

Odd.... Running without remediation, I get:

# oscap oval eval --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: false
Evaluation done.

@OnceUponALoop do you get this regardless of whether you have remediated or not?

[OnceUponALoop]

@redhatrises if you haven't remediated then the check fails the test_screensaver_lock_delay which checks that lock-delay=uint32 [0-9]+ is defined.

Check Test Structure

dconf_gnome_screensaver_lock_delay
+
|
+----> test_screensaver_lock_delay
  +    Verify lock-delay=uint32 NUMBER is set, doesn't validate value yet
  |
  +----> test_prevent_user_lock_delay
    +    Verify that the setting is locked
    |
    +----> test_screensaver_lock_delay_setting (FAILURE)
           Verify value of lock delay

Not sure why the check is split over 3 tests like that, why wouldn't the first test verify the value as well. Unless something upstream (reporting?) depends on it.

Remediated dconf settings

Content of /etc/dconf/db/local.d/10-scap-security-guide

[org/gnome/desktop/screensaver]
lock-enabled=true
lock-delay=uint32 0

Content of /etc/dconf/db/local.d/locks/10-scap-security-guide

/org/gnome/desktop/screensaver/lock-delay

Test results without remediated

Deleting all the settings to ensure nothing is overriding.

[root@rh-test build]# rm -f /etc/dconf/db/local.d/locks/* /etc/dconf/db/local.d/*
rm: cannot remove ‘/etc/dconf/db/local.d/locks’: Is a directory
[root@rh-test build]# oscap oval eval --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: false
Evaluation done.

Test results after remediation

[root@rh-test build]# cat /etc/dconf/db/local.d/10-scap-security-guide
[org/gnome/desktop/screensaver]
lock-enabled=true
lock-delay=uint32 0
[root@rh-test build]# cat /etc/dconf/db/local.d/locks/10-scap-security-guide
/org/gnome/desktop/screensaver/lock-delay
[root@rh-test build]# oscap oval eval --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: error
Evaluation done.

Test results after remediation + variables file

I figured if the issue was the external variable resolution then it should work if we provide it a variable files with var_screensaver_lock_delay set to 0

variables.xml

<?xml version="1.0" encoding="UTF-8"?>
<oval_variables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns="http://oval.mitre.org/XMLSchema/oval-variables-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-results-5 oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-variables-5 oval-variables-schema.xsd">
  <generator>
    <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
    <oval:schema_version>5.11.1</oval:schema_version>
    <oval:timestamp>2018-02-27T20:16:57</oval:timestamp>
  </generator>
  <variables>
    <variable id="oval:ssg-var_screensaver_lock_delay:var:1" datatype="int" comment="Unknown">
      <value>0</value>
    </variable>
  </variables>
</oval_variables>

Sure enough, it passes.

[root@rh-test build]# oscap oval eval --variables variables.xml --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: true
Evaluation done.

[redhatrises]

@OnceUponALoop this is issue should be closed as this is expected behavior when scanning with OVAL. All variables have to be added with --variables when performing an OVAL scan.

[OnceUponALoop]

@redhatrises The error occurs when running it from scap-workbench against USGCB as well.

Relevant arf

<definition definition_id="oval:ssg-dconf_gnome_screensaver_lock_delay:def:1" result="error" version="2">
  <criteria operator="OR" result="error">
    <extend_definition definition_ref="oval:ssg-package_dconf_installed:def:1" version="1" result="false" negate="true"/>
    <criteria operator="AND" result="error">
      <extend_definition definition_ref="oval:ssg-enable_dconf_user_profile:def:1" version="1" result="true"/>
      <criterion test_ref="oval:ssg-test_screensaver_lock_delay:tst:1" version="1" result="true"/>
      <criterion test_ref="oval:ssg-test_prevent_user_lock_delay:tst:1" version="1" result="true"/>
      <criterion test_ref="oval:ssg-test_screensaver_lock_delay_setting:tst:1" version="1" result="error"/>
    </criteria>
  </criteria>
</definition>

<test test_id="oval:ssg-test_screensaver_lock_delay_setting:tst:1" version="1" check_existence="all_exist" check="all" result="error">
  <tested_item item_id="14159227" result="error"/>
</test>

<ns3:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay setting is correct" id="oval:ssg-test_screensaver_lock_delay_setting:tst:1" version="1">
  <ns3:object object_ref="oval:ssg-obj_screensaver_lock_delay_setting:obj:1"/>
  <ns3:state state_ref="oval:ssg-state_screensaver_lock_delay_setting:ste:1"/>
</ns3:textfilecontent54_test>

  <ind-sys:textfilecontent_item id="14159227" status="exists">
    <ind-sys:filepath>/etc/dconf/db/local.d/10-scap-security-guide</ind-sys:filepath>
    <ind-sys:path>/etc/dconf/db/local.d</ind-sys:path>
    <ind-sys:filename>10-scap-security-guide</ind-sys:filename>
    <ind-sys:pattern>^lock-delay[\s=]*uint32[\s]([^=\s]*)</ind-sys:pattern>
    <ind-sys:instance datatype="int">1</ind-sys:instance>
    <ind-sys:line>^lock-delay[\s=]*uint32[\s]([^=\s]*)</ind-sys:line>
    <ind-sys:text>lock-delay=uint32 0</ind-sys:text>
    <ind-sys:subexpression>0</ind-sys:subexpression>
  </ind-sys:textfilecontent_item>

Screenshot

[redhatrises]

@OnceUponALoop if you set the variable in the XCCDF, does it fix the issue with scap-workbench?

[OnceUponALoop]

@redhatrises I believe I tried that last night (with refine-value = immediate) and still produced the same result but it was late night work so anything goes.

So if i export the variables from the xccdf for the usgcb profile and feed it back into an oval eval of that check it fails. Shouldn't it be in there or am i missing something?

Test

# Export Variables for usgcb
[root@rh-test build]# oscap xccdf export-oval-variables --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp-rhel7 ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok

# Check with variable file
[root@rh-test build]# oscap oval eval --variables ssg-rhel7-oval.xml-0.variables-0.xml --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: error
Evaluation done.

# Check existence of var_screensaver_lock_delay in variables file
[root@rh-test build]# grep lock_delay ssg-rhel7-oval.xml-0.variables-0.xml
[root@rh-test build]# 

Test after adding variable to profile

# Check the change is made
[root@rh-test build]# git diff ../rhel7/profiles/ospp-rhel7.xml
diff --git a/rhel7/profiles/ospp-rhel7.xml b/rhel7/profiles/ospp-rhel7.xml
index 3877c57..3084885 100644
--- a/rhel7/profiles/ospp-rhel7.xml
+++ b/rhel7/profiles/ospp-rhel7.xml
@@ -38,7 +38,7 @@ the consensus process.

 <refine-value idref="login_banner_text" selector="usgcb_default" />
 <refine-value idref="inactivity_timeout_value" selector="15_minutes" />
-
+<refine-value idref="var_screensaver_lock_delay" selector="immediate"/>

 <!-- configure minimum password length -->
 <refine-value idref="var_password_pam_minlen" selector="15" />

# Clean and build
[root@rh-test build]# make clean; make -j4 rhel7
<TRUNCATED-OUTPUT>
[100%] Built target generate-ssg-rhel7-guide-index.html
[100%] Built target rhel7-guides
[100%] Built target rhel7

# Export Variables
[root@rh-test build]# oscap xccdf export-oval-variables --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp-rhel7 ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok

# Check - still fails
[root@rh-test build]# oscap oval eval --variables ssg-rhel7-oval.xml-0.variables-0.xml --id oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 ssg-rhel7-ds.xml
Definition oval:ssg-dconf_gnome_screensaver_lock_delay:def:1: error
Evaluation done.

# Check existence of var_screensaver_lock_delay in variables file
[root@rh-test build]# grep lock_delay ssg-rhel7-oval.xml-0.variables-0.xml
[root@rh-test build]#

[redhatrises]

That does seem odd. I would maybe open a ticket at https://github.com/openscap/openscap as that could be a bug with oscap.

[OnceUponALoop]

@redhatrises I'm pretty sure i found the problem. The rule is applicable to <platform idref="cpe:/a:machine" /> which doesn't exist in the latest repo openscap package (openscap-1.2.14-2.el7.x86_64).

Strange that the checks are processed though, shouldn't they be notchecked? I'm seeing the error when using oscap or scap-workbench.

Is CPE validation handled differently for variables vs oval checks?

We can probably close this issue but would really appreciate some clarification on the behavior for my own understanding.

OVAL Check without CPE

[root@rh-test build]# oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --results xccdf-results.xml --profile xccdf_org.ssgproject.content_profile_ospp-rhel7 ssg-rhel7-ds.xml
<TRUNCATED-OUTPUT>
Title   Enable GNOME3 Screensaver Idle Activation
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
Ident   CCE-80111-8
Result  pass

Title   Enable GNOME3 Screensaver Lock After Idle Period
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Ident   CCE-80112-6
Result  error

Title   Set GNOME3 Screensaver Lock Delay After Activation Period
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Ident   CCE-80370-0
Result  error

Variable export without CPE Variable isn't present

[root@rh-test build]# oscap xccdf export-oval-variables --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp-rhel7  ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok

[root@rh-test build]# grep lock_delay ssg-rhel7-oval.xml-0.variables-0.xml
[root@rh-test build]#

OVAL check with build CPE Still fails, i'm confused at this point

oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --results xccdf-results.xml --profile xccdf_org.ssgproject.content_profile_ospp-rhel7 --cpe ssg-rhel7-cpe-dictionary.xml  ssg-rhel7-ds.xml
<TRUNCATED-OUTPUT>
Title   Enable GNOME3 Screensaver Idle Activation
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
Ident   CCE-80111-8
Result  pass

Title   Enable GNOME3 Screensaver Lock After Idle Period
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Ident   CCE-80112-6
Result  error

Title   Set GNOME3 Screensaver Lock Delay After Activation Period
Rule    xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Ident   CCE-80370-0
Result  error

Variable export with build CPE Variable is exported

[root@rh-test build]# oscap xccdf export-oval-variables --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp-rhel7 --cpe ssg-rhel7-cpe-dictionary.xml ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok

[root@rh-test build]# grep lock_delay ssg-rhel7-oval.xml-0.variables-0.xml
    <variable id="oval:ssg-var_screensaver_lock_delay:var:1" datatype="int" comment="Unknown">

[redhatrises]

@OnceUponALoop will you run the following off of the latest SSG master?

oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --report final.html --oval-results ssg-rhel7-ds.xml

[redhatrises]

A lot of these checks have been fixed in the latest content. Please reopen if this issue still persists.