search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.36k stars 374 forks source link

Unable to find out cause for test failure #724

Closed siribg closed 7 years ago

siribg commented 7 years ago

I ran a OpenSCAP scanner report and one of the tests failed. I checked the oval-report.xml file and I see the following -

<definition definition_id="oval:ssg-audit_rules_privileged_commands:def:1" result="false" version="1">
             <criteria operator="OR" result="false">
               <criteria operator="AND" result="false">
                 <criterion test_ref="oval:ssg-test_arpc_augenrules:tst:1" version="1" result="true"/>
                 <criterion test_ref="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1" version="1" result="true"/>
                 <criterion test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" version="1" resu        lt="false"/>
               </criteria>
               <criteria operator="AND" result="false">
                 <criterion test_ref="oval:ssg-test_arpc_auditctl:tst:1" version="1" result="false"/>
                 <criterion test_ref="oval:ssg-test_arpc_suid_sgid_auditctl:tst:1" version="1" result="true"/>
                 <criterion test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1" version="1" result        ="false"/>
               </criteria>
             </criteria>
           </definition>

How do I go about finding details about why the criteria are failing? I assume that they are failing because the result is false. How do I get more details about the same?

yuumasato commented 7 years ago

There should be a tag called test with an id equal to the criterion it refers to with more details about the evaluated objects and variables.

Something like

        <test test_id="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" version="1" check_existence="all_exist" check="all" result="false">
          <tested_item item_id="1018081" result="false"/>
          <tested_variable variable_id="oval:ssg-variable_count_of_privileged_commands_having_audit_definition_augenrules:var:1">25</tested_variable>
          <tested_variable variable_id="oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1">26</tested_variable>
        </test>

Consider taking a lookt at https://github.com/OpenSCAP/scap-security-guide/issues/379, the fail you get might be related to it.

jan-cerny commented 7 years ago

@siribg You can also check the HTML report with OVAL details. Add to your command-line --report report.html --oval-results.

shawndwells commented 7 years ago

tl;dr: To take a guess on resolving this, run the find command outlined in your HTML report: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

It will generate a list of SUID/SGID binaries. Make sure there is an audit rule for each one of them.

From the results @siribg posted, we can tell the system is using augen rules:

.....
<criterion test_ref="oval:ssg-test_arpc_augenrules:tst:1" version="1" result="true"/>
<criterion test_ref="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1" version="1" result="true"/>
<criterion test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" version="1" result="false"/>

Looking at the test_arpc_bin_count_equals_rules_count_augenrules from

https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/audit_rules_privileged_commands.xml#L91#L94

  <ind:variable_test check="all" check_existence="all_exist" id="test_arpc_bin_count_equals_rules_count_augenrules" comment="audit augenrules binaries count matches rules count" version="1">
    <ind:object object_ref="object_count_of_suid_sgid_binaries_on_system" />
    <ind:state state_ref="state_count_of_privileged_commands_having_audit_definition_augenrules" />
  </ind:variable_test>

And then checking out that object: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/audit_rules_privileged_commands.xml#L60#L62

 <ind:variable_object id="object_count_of_suid_sgid_binaries_on_system" version="1">
    <ind:var_ref>variable_count_of_suid_sgid_binaries_on_system</ind:var_ref>
  </ind:variable_object>

Which points to variable_count_of_suid_sgid_binaries_on_system: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/audit_rules_privileged_commands.xml#L54#L58

 <local_variable id="variable_count_of_suid_sgid_binaries_on_system" comment="count of suid / sgid binaries actually present on the system" datatype="int" version="1">
    <count>
      <object_component object_ref="object_system_privileged_commands" item_field="filepath" />
    </count>
  </local_variable>

And that variable is populated by object_system_privileged_commands

https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/audit_rules_privileged_commands.xml#L31#L39

  <!-- First define OVAL entities that can be reused across tests below -->
  <unix:file_object id="object_system_privileged_commands" comment="system files with setuid or setgid permission set" version="1">
    <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" max_depth="-1" />
    <unix:path operation="equals">/</unix:path>
    <!-- [a-z]+ regex below is a workaround for OpenSCAP https://fedorahosted.org/openscap/ticket/457 bug -->
    <unix:filename operation="pattern match">[a-z]+</unix:filename>
    <filter action="include">state_setuid_or_setgid_set</filter>
    <filter action="exclude">state_dev_proc_sys_dirs</filter>
  </unix:file_object>

Which recursively searches the <unix:path> of / for files that match the state_setuid_or_setgid_set state, and exclude files from state_dev_proc_sys_dirs

.... aka this rule recursively get all SUID and SGID files on the system and compares the count of files returned (object_count_of_suid_sgid_binaries_on_system) against how many augen rules match the predefined audit regex as defined in object_arpc_suid_sgid_augenrules

To take a guess on resolving this, run the find command outlined in your HTML report: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

It will generate a list of SUID/SGID binaries. Make sure there is an audit rule for each one of them.

siribg commented 7 years ago

I did read up on auditctl, augen and the audit daemon. I saw the fix script generated by STIG and the command used there was -

find / -xdev -type f -perm -4000 -o -type f -perm -2000

The entries in the audit.rules and privileged.rules files were slightly different from the output of the above command. I removed the stray entries from those files and yet the test did not pass. Then I rechecked the oval-results.xml and I found the entire list of programs it was expecting the entries for -

      <tested_variable

variable_id="oval:ssg-variable_full_form_of_audit_rule:var:1">-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged <tested_variable variable_id="oval:ssg-variable_full_form_of_audit_rule:var:1">-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged <tested_variable variable_id="oval:ssg-variable_full_form_of_audit_rule:var:1">-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged <tested_variable variable_id="oval:ssg-variable_full_form_of_audit_rule:var:1">-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged <tested_variable variable_id="oval:ssg-variable_full_form_of_audit_rule:var:1">-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged............. ........................................................ ........................................................

and so on. I tallied the list of the paths with the output of the find command and found an extra entry in the test list. There is a difference between the way the test looks for the programs with SUID/SGID permissions and the way the fix looks for them. Also the extra entry was not a program, but it had the SUID permission set, because of which it was showing up in the list. I haven't been able to find out how the test looks for the list - what command it executes to get the list. Because of the difference, the test was failing. So, as mentioned by each of you, I had to look at the report, look at the variables suggested and also the output of the command in the fix script to find out why the test was failing. Reading on auditctl, augenrules and audit daemon helped me make sense of the oval report. Either removing the permissions on the file or adding an extra entry for the file in the audit.rules/privileged.rules will pass the test. Your hints helped me solve the problem. Thank you for the suggestions.

On Mon, Apr 24, 2017 at 9:43 AM, Shawn Wells notifications@github.com wrote:

tl;dr: To take a guess on resolving this, run the find command outlined in your HTML report: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

It will generate a list of SUID/SGID binaries. Make sure there is an audit rule for each one of them.

From the results @siribg https://github.com/siribg posted, we can tell the system is using augen rules:

.....

Looking at the test_arpc_bin_count_equals_rules_count_augenrules from

https://github.com/OpenSCAP/scap-security-guide/blob/ master/shared/oval/audit_rules_privileged_commands.xml#L91#L94

And then checking out that object: https://github.com/OpenSCAP/scap-security-guide/blob/ master/shared/oval/audit_rules_privileged_commands.xml#L60#L62 variable_count_of_suid_sgid_binaries_on_system Which points to variable_count_of_suid_sgid_binaries_on_system: https://github.com/OpenSCAP/scap-security-guide/blob/ master/shared/oval/audit_rules_privileged_commands.xml#L54#L58 And that variable is populated by object_system_privileged_commands https://github.com/OpenSCAP/scap-security-guide/blob/ master/shared/oval/audit_rules_privileged_commands.xml#L31#L39 / [a-z]+ state_setuid_or_setgid_set state_dev_proc_sys_dirs Which recursively searches the of / for files that match the state_setuid_or_setgid_set state, and exclude files from state_dev_proc_sys_dirs .... aka this rule recursively get all SUID and SGID files on the system and compares the count of files returned (object_count_of_suid_sgid_ binaries_on_system) against how many augen rules match the predefined audit regex as defined in object_arpc_suid_sgid_augenrules To take a guess on resolving this, run the find command outlined in your HTML report: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null It will generate a list of SUID/SGID binaries. Make sure there is an audit rule for each one of them. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub , or mute the thread .
WesleyCeraso commented 7 years ago

Closing the issue as @siribg seems to have solved it.

siribg commented 7 years ago

I see the rule for AIDE ACL verification failing. Given below is the rule description -

Configure AIDE to Verify Access Control Lists (ACLs)

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_aclsResult fail Time2017-06-14T15:14:18SeveritymediumIdentifiers and References

identifiers: CCE-80375-9

references: SI-7.1 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, 366 http://iase.disa.mil/stigs/cci/Pages/index.aspx, SRG-OS-000480-GPOS-00227 http://iase.disa.mil/stigs/srgs/Pages/index.aspx, 021600 Description

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. Rationale

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

Given below is my oval report generated for the rule -

<?xml version="1.0" encoding="UTF-8"?> <oval_results xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns=" http://oval.mitre.org/XMLSchema/oval-results-5" xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-results-5 oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">

cpe:/a:open-scap:oscap 1.2.10 5.11 2017-06-14T17:24:32

python 2.7.12 5.11 2016-11-28T08:42:34 
<definitions>
  <definition id="oval:ssg-aide_verify_acls:def:1" version="1"

class="compliance">

Configure AIDE to Verify Access Control Lists (ACLs) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 AIDE should be configured to verify Access Control Lists (ACLs). 
    <criteria>
      <extend_definition

definition_ref="oval:ssg-package_aide_installed:def:1" comment="Aide is installed"/> <criterion test_ref="oval:ssg-test_aide_verify_acls:tst:1" comment="acl is set in /etc/aide.conf"/> <definition id="oval:ssg-aide_use_fips_hashes:def:1" version="1" class="compliance">

Configure AIDE to Use FIPS 140-2 for Validating Hashes Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 AIDE should be configured to use the FIPS 140-2 cryptographic hashes. 
    <criteria>
      <extend_definition

definition_ref="oval:ssg-installed_OS_is_certified:def:1" comment="Installed OS is certified"/> <extend_definition definition_ref="oval:ssg-package_aide_installed:def:1" comment="Aide is installed"/> <criterion test_ref="oval:ssg-test_aide_non_fips_hashes:tst:1" comment="non-FIPS hashes are not configured"/> <criterion test_ref="oval:ssg-test_aide_use_fips_hashes:tst:1" comment="FIPS hashes are configured"/> <definition id="oval:ssg-aide_scan_notification:def:1" version="1" class="compliance">

Configure Notification of Post-AIDE Scan Details Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 AIDE should notify appropriate personnel of the details of a scan after the scan has been run. 
    <criteria>
      <extend_definition

definition_ref="oval:ssg-package_aide_installed:def:1" comment="Aide is installed"/>

    </criteria>
  </definition>
  <definition id="oval:ssg-aide_periodic_cron_checking:def:1"

version="3" class="compliance">

Configure Periodic Execution of AIDE Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. 
    <criteria>
      <extend_definition

definition_ref="oval:ssg-package_aide_installed:def:1" comment="Aide is installed"/>

    </criteria>
  </definition>
  <definition id="oval:ssg-aide_build_database:def:1" version="2"

class="compliance">

Aide Database Must Exist Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 CentOS 4 CentOS 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The aide database must be initialized. 
    <criteria>
      <criterion test_ref="oval:ssg-test_aide_b

uild_new_database_absolute_path:tst:1"/> <definition id="oval:ssg-accounts_umask_etc_profile:def:1" version="2" class="compliance">

Ensure that Users Have Sensible Umask Values in /etc/profile Wind River Linux 8 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The default umask for all users should be set correctly 
    <criteria>
      <extend_definition definition_ref="oval:ssg-var_a

ccounts_user_umask_as_number:def:1" comment="Get value of var_accounts_user_umask variable as octal number"/> <definition id="oval:ssg-accounts_umask_etc_login_defs:def:1" version="2" class="compliance">

Ensure that Users Have Sensible Umask Values in /etc/login.defs Wind River Linux 8 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The default umask for all users specified in /etc/login.defs 
    <criteria>
      <extend_definition definition_ref="oval:ssg-var_a

ccounts_user_umask_as_number:def:1" comment="Get value of var_accounts_user_umask variable as octal number"/> <definition id="oval:ssg-accounts_umask_etc_csh_cshrc:def:1" version="2" class="compliance">

Ensure that Users Have Sensible Umask Values set for csh Wind River Linux 8 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The default umask for users of the csh shell 
    <criteria>
      <extend_definition definition_ref="oval:ssg-var_a

ccounts_user_umask_as_number:def:1" comment="Get value of var_accounts_user_umask variable as octal number"/> <definition id="oval:ssg-accounts_umask_etc_bashrc:def:1" version="2" class="compliance">

Ensure that Users Have Sensible Umask Values set for bash Wind River Linux 8 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The default umask for users of the bash shell 
    <criteria>
      <extend_definition definition_ref="oval:ssg-var_a

ccounts_user_umask_as_number:def:1" comment="Get value of var_accounts_user_umask variable as octal number"/> <definition id="oval:ssg-accounts_tmout:def:1" version="2" class="compliance">

Set Interactive Session Timeout Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Checks interactive shell timeout 
    <criteria operator="OR">
      <criterion test_ref="oval:ssg-test_etc_profile_tmout:tst:1"

comment="TMOUT value in /etc/profile >= var_accounts_tmout"/> <criterion test_ref="oval:ssg-test_etc_profiled_tmout:tst:1" comment="TMOUT value in /etc/profile.d/*.sh >= var_accounts_tmout"/> <definition id="oval:ssg-accounts_root_path_dirs_no_write:def:1" version="2" class="compliance">

Write permissions are disabled for group and other in all directories in Root's Path Check each directory in root's path and make use it does not grant write permission to group and other 
    <criteria comment="Check that write permission to group and other

in root's path is denied"> <definition id="oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1" version="2" class="compliance">

Lock out account after failed login attempts Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The number of allowed failed logins should be set correctly. 
    <criteria>
      <criterion test_ref="oval:ssg-test_accoun

ts_passwords_pam_faillock_unlock_time_system-auth:tst:1" comment="preauth default is set to 604800"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_authfail_unlock_time_system-auth:tst:1" comment="authfail default is set to 604800"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_unlock_time_password-auth:tst:1" comment="authfail default is set to 604800"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_preauth_unlock_time_password-auth:tst:1" comment="preauth default is set to 604800"/> <definition id="oval:ssg-accounts_passwords_pam_faillock_interval:def:1" version="2" class="compliance">

Lock out account after failed login attempts Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The number of allowed failed logins should be set correctly. 
    <criteria>
      <criterion test_ref="oval:ssg-test_accoun

ts_passwords_pam_faillock_fail_interval_system-auth:tst:1" comment="preauth default is set to 900"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1" comment="authfail default is set to 900"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_fail_interval_password-auth:tst:1" comment="authfail default is set to 900"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1" comment="preauth default is set to 900"/>

Lock out the root account after failed login attempts Red Hat Enterprise Linux 7 The root account should be configured to deny access after the number of defined failed attempts has been reached. 
    <criteria>
      <criterion test_ref="oval:ssg-test_pam_fa

illock_preauth_silent_system-auth:tst:1" comment="pam_faillock.so preauth silent set in system-auth"/> <definition id="oval:ssg-accounts_passwords_pam_faillock_deny:def:1" version="4" class="compliance">

Lock out account after failed login attempts The number of allowed failed logins should be set correctly. 
    <criteria>
      <criterion test_ref="oval:ssg-test_accoun

ts_passwords_pam_faillock_preauth_silent_system-auth:tst:1" comment="pam_faillock.so preauth silent set in system-auth"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_authfail_deny_system-auth:tst:1" comment="pam_faillock.so authfail deny value set in system-auth"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_account_phase_system-auth:tst:1" comment="pam_faillock.so set in account phase of system-auth"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_preauth_silent_password-auth:tst:1" comment="pam_faillock.so preauth silent set in password-auth"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_authfail_deny_password-auth:tst:1" comment="pam_faillock.so authfail deny value set in password-auth"/> <criterion test_ref="oval:ssg-test_accoun ts_passwords_pam_faillock_account_phase_password-auth:tst:1" comment="pam_faillock.so set in account phase of password-auth"/> <definition id="oval:ssg-accounts_password_warn_age_login_defs:def:1" version="3" class="compliance">

Set Password Expiration Parameters The password expiration warning age should be set appropriately. 
    <criteria>
      <criterion test_ref="oval:ssg-test_pass_warn_age:tst:1"/>
    </criteria>
  </definition>
  <definition id="oval:ssg-accounts_password_pam_unix_remember:def:1"

version="2" class="compliance">

Limit Password Reuse Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The passwords to remember should be set correctly. 
    <criteria operator="OR" comment="remember parameter of pam_unix.so

or pam_pwhistory.so is set correctly"> <definition id="oval:ssg-accounts_password_pam_ucredit:def:1" version="2" class="compliance">

Set Password ucredit Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password ucredit should meet minimum requirements 
    <criteria comment="conditions for ucredit are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_retry:def:1" version="1" class="compliance">

Set Password retry Requirements Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Fedora 23 Fedora 24 The password retry should meet minimum requirements 
    <criteria operator="OR" comment="Conditions for retry are

satisfied">

      <criteria comment="system is RHEL7 with pam_pwquality configured">
        <extend_definition

definition_ref="oval:ssg-installed_OS_is_rhel7:def:1" comment="RHEL7 OS installed"/> <criterion test_ref="oval:ssg-test_password_pam_pwquality_retry:tst:1" comment="rhel7 pam_pwquality"/> <extend_definition definition_ref="oval:ssg-installed_OS_is_fedora:def:1" comment="Fedora OS installed"/> <criterion test_ref="oval:ssg-test_password_pam_pwquality_retry:tst:1" comment="Fedora pam_pwquality"/> <definition id="oval:ssg-accounts_password_pam_pwquality:def:1" version="1" class="compliance">

Check pam_pwquality Existence in system-auth Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 Check that pam_pwquality.so exists in system-auth 
    <criteria>
      <criterion test_ref="oval:ssg-test_password_pam_pwquality:tst:1"

comment="Conditions for pam_pwquality are satisfied"/> <definition id="oval:ssg-accounts_password_pam_ocredit:def:1" version="2" class="compliance">

Set Password ocredit Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password ocredit should meet minimum requirements 
    <criteria comment="conditions for ocredit are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_minlen:def:1" version="1" class="compliance">

Set Password minlen Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password minlen should meet minimum requirements 
    <criteria comment="system uses pam_pwquality configured">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <criterion test_ref="oval:ssg-test_password_pam_pwquality_minlen:tst:1" comment="pam_pwquality"/> <definition id="oval:ssg-accounts_password_pam_minclass:def:1" version="1" class="compliance">

Set Password minclass Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password minclass should meet the minimum requirements 
    <criteria comment="conditions for minclass are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_maxrepeat:def:1" version="1" class="compliance">

Set Password maxrepeat Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password maxrepeat should meet minimum requirements using pam_pwquality 
    <criteria comment="conditions for maxrepeat are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_maxclassrepeat:def:1" version="1" class="compliance">

Set Password maxclassrepeat Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password maxclassrepeat should meet minimum requirements using pam_pwquality 
    <criteria comment="conditions for maxclassrepeat are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_lcredit:def:1" version="2" class="compliance">

Set Password lcredit Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password lcredit should meet minimum requirements 
    <criteria comment="conditions for lcredit are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_pam_difok:def:1" version="2" class="compliance">

Set Password difok Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password difok should meet minimum requirements 
    <criteria comment="conditions for difok are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <criterion test_ref="oval:ssg-test_password_pam_pwquality_difok:tst:1" comment="pwquality.conf"/> <definition id="oval:ssg-accounts_password_pam_dcredit:def:1" version="1" class="compliance">

Set Password dcredit Requirements Fedora 23 Fedora 24 Red Hat Enterprise Linux 7 The password dcredit should meet minimum requirements 
    <criteria comment="conditions for dcredit are satisfied">
      <extend_definition definition_ref="oval:ssg-accou

nts_password_pam_pwquality:def:1" comment="pwquality.so exists in system-auth"/> <definition id="oval:ssg-accounts_password_minlen_login_defs:def:1" version="3" class="compliance">

Set Password Expiration Parameters The password minimum length should be set appropriately. 
    <criteria>
      <criterion test_ref="oval:ssg-test_pass_min_len:tst:1"/>
    </criteria>
  </definition>
  <definition id="oval:ssg-accounts_password_all_shadowed:def:1"

version="1" class="compliance">

All Password Hashes Shadowed All password hashes should be shadowed. 
    <criteria>
      <criterion test_ref="oval:ssg-test_accoun

ts_password_all_shadowed:tst:1" comment="password hashes are shadowed"/> <definition id="oval:ssg-accounts_no_uid_except_zero:def:1" version="1" class="compliance">

UID 0 Belongs Only To Root Only the root account should be assigned a user id of 0. 
    <criteria>
      <criterion test_ref="oval:ssg-test_accounts_no_uid_except_root:tst:1"

comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file"/> <definition id="oval:ssg-accounts_minimum_age_login_defs:def:1" version="3" class="compliance">

Set Password Expiration Parameters The minimum password age policy should be set appropriately. 
    <criteria comment="The value of PASS_MIN_DAYS should be set

appropriately in /etc/login.defs">

    </criteria>
  </definition>
  <definition id="oval:ssg-accounts_maximum_age_login_defs:def:1"

version="3" class="compliance">

Set Password Expiration Parameters The maximum password age policy should meet minimum requirements. 
    <criteria comment="The value PASS_MAX_DAYS should be set

appropriately in /etc/login.defs">

    </criteria>
  </definition>
  <definition id="oval:ssg-accounts_max_concurrent_login_sessions:def:1"

version="1" class="compliance">

Set Maximum Number of Concurrent Login Sessions Per User Wind River Linux 8 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The maximum number of concurrent login sessions per user should meet minimum requirements. 
    <criteria operator="OR">
      <criterion test_ref="oval:ssg-test_limitsd_maxlogins:tst:1"

comment="the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf"/>

    </criteria>
  </definition>
  <definition id="oval:ssg-accounts_logon_fail_delay:def:1" version="1"

class="compliance">

Ensure that FAIL_DELAY is Configured in /etc/login.defs Red Hat Enterprise Linux 7 The delay between failed authentication attempts should be set for all users specified in /etc/login.defs 
    <criteria>
      <criterion test_ref="oval:ssg-test_accoun

ts_logon_fail_delay:tst:1"/> <definition id="oval:ssg-account_unique_name:def:1" version="1" class="compliance">

Set All Accounts To Have Unique Names All accounts on the system should have unique names for proper accountability. 
    <criteria comment="There should not exist duplicate user name

entries in /etc/passwd"> <definition id="oval:ssg-account_disable_post_pw_expiration:def:1" version="2" class="compliance">

Set Accounts to Expire Following Password Expiration Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The accounts should be configured to expire automatically following password expiration. 
    <criteria comment="the value INACTIVE parameter should be set

appropriately in /etc/default/useradd">

siribg commented 5 years ago

I am getting this error while trying to analyze why the following rule is failing -

openscap]# oscap xccdf eval --fetch-remote-resources --profile x

ccdf_org.ssgproject.content_profile_stig-rhel7-disa --results arf.xml --report report.html --rule xccdf_org.ssgproject.content_rule_service_firewalld_enabled --oval-results ssg-rhel7-ds.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok Title Verify firewalld Enabled Rule xccdf_org.ssgproject.content_rule_service_firewalld_enabled *Ident CCE-27361-5*Result fail OpenSCAP Error: Probe with PID=13244 has been killed with signal 11 [sch_pipe.c:178] Probe with PID=13244 has core dumped. [sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_firewalld_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_firewalld:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [oval_resultTest.c:914] Probe with PID=13316 has been killed with signal 11 [sch_pipe.c:178] Probe with PID=13316 has core dumped. [sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_firewalld_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_firewalld_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [oval_resultTest.c:914]

I am also getting similar errors for two other rules.

xccdf_org.ssgproject.content_rule_service_sshd_enabled

xccdf_org.ssgproject.content_rule_service_auditd_enabled

the only difference being that the result.html shows "error" instead of "fail".

Please note that the version of OSCAP is -

oscap -V OpenSCAP command line tool (oscap) 1.2.16 Copyright 2009--2017 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1

Please let me know if I have provide further information.

Thank you,

Sirisha

siribg commented 5 years ago

I was able to generate an oval report after updating to the next version of OSCAP scanner. However, I fail to understand the following error reported in the oval report -

OVAL details Test that the sshd service is running failed because of these items: UnitPropertyValue sshd.service ActiveState active sshd.socket ActiveState inactivesystemd test failed because these items were missing:Object oval:ssg-object_multi_user_target_for_sshd_enabled:obj:1 of type systemdunitdependency_object Unit multi-user.targetState oval:ssg-state_systemd_sshd_on:ste:1 of type systemdunitdependency_state Dependency sshd.servicesystemd test failed because these items were missing:Object oval:ssg-object_multi_user_target_for_sshd_socket_enabled:obj:1 of type systemdunitdependency_object Unit multi-user.targetState oval:ssg-state_systemd_sshd_socket_on:ste:1 of type systemdunitdependency_state Dependency sshd.socket I checked the state of sshd service on my linux box and it looks fine to me. What is the implication of this error?

multi-user.target.wants]$ ls -l

total 0

lrwxrwxrwx 1 root root 41 Mar 13 13:07 abrt-ccpp.service -> /usr/lib/systemd/system/abrt-ccpp.service

lrwxrwxrwx 1 root root 37 Mar 13 13:07 abrtd.service -> /usr/lib/systemd/system/abrtd.service

lrwxrwxrwx 1 root root 41 Mar 13 13:07 abrt-oops.service -> /usr/lib/systemd/system/abrt-oops.service

lrwxrwxrwx 1 root root 43 Mar 13 13:07 abrt-vmcore.service -> /usr/lib/systemd/system/abrt-vmcore.service

lrwxrwxrwx 1 root root 41 Mar 13 13:07 abrt-xorg.service -> /usr/lib/systemd/system/abrt-xorg.service

lrwxrwxrwx. 1 root root 35 Mar 7 10:07 atd.service -> /usr/lib/systemd/system/atd.service

lrwxrwxrwx. 1 root root 38 Mar 7 10:07 auditd.service -> /usr/lib/systemd/system/auditd.service

lrwxrwxrwx. 1 root root 37 Mar 7 10:06 brandbot.path -> /usr/lib/systemd/system/brandbot.path

lrwxrwxrwx 1 root root 43 Mar 7 10:44 cert_backup.service -> /usr/lib/systemd/system/cert_backup.service

lrwxrwxrwx. 1 root root 39 Mar 7 10:07 chronyd.service -> /usr/lib/systemd/system/chronyd.service

lrwxrwxrwx. 1 root root 37 Mar 7 10:06 crond.service -> /usr/lib/systemd/system/crond.service

lrwxrwxrwx. 1 root root 45 Mar 7 10:06 epilogue-start.target -> /usr/lib/systemd/system/epilogue-start.target

lrwxrwxrwx 1 root root 41 Mar 13 15:46 firewalld.service -> /usr/lib/systemd/system/firewalld.service

lrwxrwxrwx 1 root root 37 Mar 7 10:44 hostagent.service -> /etc/systemd/system/hostagent.service

lrwxrwxrwx. 1 root root 42 Mar 7 10:07 irqbalance.service -> /usr/lib/systemd/system/irqbalance.service

lrwxrwxrwx. 1 root root 37 Mar 7 10:07 kdump.service -> /usr/lib/systemd/system/kdump.service

lrwxrwxrwx 1 root root 46 Mar 13 13:07 libstoragemgmt.service -> /usr/lib/systemd/system/libstoragemgmt.service

lrwxrwxrwx 1 root root 38 Mar 7 10:43 mcelog.service -> /usr/lib/systemd/system/mcelog.service

lrwxrwxrwx 1 root root 41 Mar 7 10:43 mdmonitor.service -> /usr/lib/systemd/system/mdmonitor.service

lrwxrwxrwx. 1 root root 46 Mar 7 10:06 NetworkManager.service -> /usr/lib/systemd/system/NetworkManager.service

lrwxrwxrwx. 1 root root 41 Mar 7 10:06 nfs-client.target -> /usr/lib/systemd/system/nfs-client.target

lrwxrwxrwx 1 root root 39 Mar 13 13:07 postfix.service -> /usr/lib/systemd/system/postfix.service

lrwxrwxrwx. 1 root root 40 Mar 7 10:06 remote-fs.target -> /usr/lib/systemd/system/remote-fs.target

lrwxrwxrwx. 1 root root 46 Mar 7 10:06 rhel-configure.service -> /usr/lib/systemd/system/rhel-configure.service

lrwxrwxrwx. 1 root root 41 Mar 7 10:06 rhsmcertd.service -> /usr/lib/systemd/system/rhsmcertd.service

lrwxrwxrwx 1 root root 36 Mar 13 13:07 rngd.service -> /usr/lib/systemd/system/rngd.service

lrwxrwxrwx. 1 root root 39 Mar 7 10:06 rpcbind.service -> /usr/lib/systemd/system/rpcbind.service

lrwxrwxrwx. 1 root root 39 Mar 7 10:06 rsyslog.service -> /usr/lib/systemd/system/rsyslog.service

lrwxrwxrwx. 1 root root 36 Mar 7 10:07 sshd.service -> /usr/lib/systemd/system/sshd.service

lrwxrwxrwx 1 root root 39 Mar 7 10:43 sysstat.service -> /usr/lib/systemd/system/sysstat.service

lrwxrwxrwx. 1 root root 37 Mar 7 10:06 tuned.service -> /usr/lib/systemd/system/tuned.service

lrwxrwxrwx 1 root root 35 Mar 13 13:07 vdo.service -> /usr/lib/systemd/system/vdo.service

[admin@appesx41-app4100v01 multi-user.target.wants]$ pwd

/etc/systemd/system/multi-user.target.wants

[admin@xyz.com multi-user.target.wants]$ service sshd.service status

Redirecting to /bin/systemctl status sshd.service

sshd.service - OpenSSH server daemon

Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)

Active: active (running) since Wed 2019-03-13 13:54:09 PDT; 2 days ago

 Docs: man:sshd(8)

       man:sshd_config(5)

Main PID: 6500 (sshd)

CGroup: /system.slice/sshd.service

       └─6500 /usr/sbin/sshd -D

On Fri, Mar 8, 2019 at 7:20 AM Sirisha Ganti sirisha4km@gmail.com wrote:

I am getting this error while trying to analyze why the following rule is failing -

openscap]# oscap xccdf eval --fetch-remote-resources --profile x

ccdf_org.ssgproject.content_profile_stig-rhel7-disa --results arf.xml --report report.html --rule xccdf_org.ssgproject.content_rule_service_firewalld_enabled --oval-results ssg-rhel7-ds.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok Title Verify firewalld Enabled Rule xccdf_org.ssgproject.content_rule_service_firewalld_enabled *Ident CCE-27361-5*Result fail OpenSCAP Error: Probe with PID=13244 has been killed with signal 11 [sch_pipe.c:178] Probe with PID=13244 has core dumped. [sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_firewalld_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_firewalld:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [oval_resultTest.c:914] Probe with PID=13316 has been killed with signal 11 [sch_pipe.c:178] Probe with PID=13316 has core dumped. [sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_firewalld_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_firewalld_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [oval_resultTest.c:914]

I am also getting similar errors for two other rules.

xccdf_org.ssgproject.content_rule_service_sshd_enabled

xccdf_org.ssgproject.content_rule_service_auditd_enabled

the only difference being that the result.html shows "error" instead of "fail".

Please note that the version of OSCAP is -

oscap -V OpenSCAP command line tool (oscap) 1.2.16 Copyright 2009--2017 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1

Please let me know if I have provide further information.

Thank you,

Sirisha