RHEL9 failing rules per profile

matusmarhefka commented 3 years ago

Description of problem:

See the section per each RHEL9 profile which contains rules failing even after remediation.

SCAP Security Guide Version:

master (57fc344)

Operating System Version:

RHEL9 Beta

Steps to Reproduce:

Run installation of RHEL9 Beta with a profile kickstart file (from https://github.com/ComplianceAsCode/content/tree/master/products/rhel9/kickstart)
Scan the system after installation with the profile based on kickstart which was used to install the system.

OSPP, CUI

service_auditd_enabled (in SSGTS profile mode) no_tmux_in_shells (in SSGTS profile mode)

CIS Workstation Level 2 (GUI)

~dconf_gnome_login_banner_text~ ~selinux_confinement_of_daemons - no remediation, but finds many breakages~

HIPAA

rpm_verify_hashes - detects issue in systemd package (/usr/lib/systemd/system/rescue.service) ~auditd_audispd_syslog_plugin_activated~

HIPAA (GUI)

rpm_verify_hashes - detects issue in systemd package (/usr/lib/systemd/system/rescue.service) rpm_verify_permissions - detects issues in accountsservice, gdm and fprintd packages ~auditd_audispd_syslog_plugin_activated~

PCI-DSS

~configure_opensc_card_drivers - no Bash remediation~ ~force_opensc_card_drivers - no Bash remediation~

PCI-DSS (GUI)

rpm_verify_permissions - detects issues in accountsservice, gdm and fprintd packages ~auditd_audispd_syslog_plugin_activated~

STIG

no_tmux_in_shells (SSGTS profile mode) configure_firewalld_ports accounts_password_set_min_life_existing (SSGTS profile mode) sshd_set_idle_timeout

STIG_GUI (GUI)

no_tmux_in_shells (SSGTS profile mode) accounts_password_set_min_life_existing (SSGTS profile mode) configure_firewalld_ports sshd_set_idle_timeout

ANSSI BP-028 High (results for both, no GUI and GUI)

~accounts_polyinstantiated_tmp~ - fails only after kickstart installation, needs to be remediated once more ~accounts_polyinstantiated_var_tmp~ - fails only after kickstart installation, needs to be remediated once more ~file_permissions_sshd_private_key~ - fails only after kickstart installation, because SSH keys are generated after oscap remediations. Remediation should be run once more

ISM_O

rpm_verify_hashes - detects issue in systemd package (/usr/lib/systemd/system/rescue.service) network_nmcli_permissions (SSGTS profile mode) configure_firewalld_ports ~file_permissions_sshd_private_key~ - https://github.com/ComplianceAsCode/content/issues/7833

ISM_O (GUI)

rpm_verify_hashes - detects issue in systemd package(/usr/lib/systemd/system/rescue.service) rpm_verify_permissions - detects issues in accountsservice, gdm and fprintd packages network_nmcli_permissions (SSGTS profile mode) configure_firewalld_ports ~file_permissions_sshd_private_key~ - fails only after kickstart installation, because SSH keys are generated after oscap remediations. Remediation should be run once more

mildas commented 2 years ago

List has been updated.

It would be great if auditd_audispd_syslog_plugin_activated rule is fixed, because it's the only failing rule with remediation implemented in few profiles. Remediation output:

grep: /etc/audisp/plugins.d/syslog.conf: No such file or directory
/tmp/oscap.eoJiUI/fix-XXw6aNCb: line 32: /etc/audisp/plugins.d/syslog.conf: No such file or directory
/tmp/oscap.eoJiUI/fix-XXw6aNCb: line 33: /etc/audisp/plugins.d/syslog.conf: No such file or directory

ggbecker commented 2 years ago

List has been updated.

It would be great if auditd_audispd_syslog_plugin_activated rule is fixed, because it's the only failing rule with remediation implemented in few profiles. Remediation output:
grep: /etc/audisp/plugins.d/syslog.conf: No such file or directory
/tmp/oscap.eoJiUI/fix-XXw6aNCb: line 32: /etc/audisp/plugins.d/syslog.conf: No such file or directory
/tmp/oscap.eoJiUI/fix-XXw6aNCb: line 33: /etc/audisp/plugins.d/syslog.conf: No such file or directory

I think this #7971 should fix the issue

mildas commented 2 years ago

OVAL details after kickstart installation:

configure_firewalld_ports

ssh service is enabled in services oval:ssg-test_firewalld_service_sshd_enabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_firewalld_service_sshd_enabled:obj:1 of type xmlfilecontent_object

ssh port is enabled in services oval:ssg-test_firewalld_service_sshd_port_enabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_firewalld_service_sshd_port_enabled:obj:1 of type textfilecontent54_object

Following items have been found on the system:

ssh service is enabled in zones oval:ssg-test_nic_assigned_to_sshd_enabled_zone:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_zones_with_nics:obj:1 of type xmlfilecontent_object

ssh port is enabled in zones oval:ssg-test_firewalld_zone_sshd_port_enabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_firewalld_zone_sshd_port_enabled:obj:1 of type textfilecontent54_object

sshd_set_idle_timeout

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name -- | -- | -- | -- | -- | -- | -- | -- openssh-server | x86_64 | (none) | 5.el9 | 8.7p1 | 0:8.7p1-5.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-5.el9.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name -- | -- | -- | -- | -- | -- | -- | -- openssh-server | x86_64 | (none) | 5.el9 | 8.7p1 | 0:8.7p1-5.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-5.el9.x86_64

timeout is configured oval:ssg-test_sshd_idle_timeout:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name -- | -- | -- | -- | -- | -- | -- | -- openssh-server | x86_64 | (none) | 5.el9 | 8.7p1 | 0:8.7p1-5.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-5.el9.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref | Value -- | -- oval:ssg-sshd_required:var:1 | 0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name -- | -- | -- | -- | -- | -- | -- | -- openssh-server | x86_64 | (none) | 5.el9 | 8.7p1 | 0:8.7p1-5.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-5.el9.x86_64

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_clientalivecountmax:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 of type textfilecontent54_object

ggbecker commented 2 years ago

OVAL details after kickstart installation: sshd_set_idle_timeout

RHEL9 uses sshd distributed configuration so ssh parameters are put under /etc/ssh/sshd_config.d. Then this check fails: https://github.com/ComplianceAsCode/content/blob/0d5c0ea25bffe16984269b860dd405effe8b3baa/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml#L30

we need to extend the check or add a new one to allow configuration from .d directories as well.

vojtapolasek commented 2 years ago

I think the problem with the rule network_nmcli_permissions is that if the "polkit" package is not installed, the directory /etc/polkit-1 does not exist at all. So the check fails and the fix as well. Maybe we can later make the rule applicable only if polkit is installed?

mildas commented 2 years ago

Closing because most of the issues were already fixed. If we notice some of them still failing, we can open issue for the individual rule - it will be more clear.

ComplianceAsCode / content