Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.8.0
Component/s: scap-security-guide
Labels:
- MigratedToJIRA
- Triaged

Severity:
Critical

Pool Team:

sst_security_compliance
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Git Pull Request:
https://github.com/ComplianceAsCode/content/pull/11441, https://github.com/ComplianceAsCode/content/pull/10463
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/128049
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2223984

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
When system is scanned and remediated as per CIS Level 1 on RHEL 8.8, following checks/rules are not performed and hence not remediated.

5.1.8 Ensure cron is restricted to authorized users (Automated) ...
5.2.4 Ensure SSH access is limited (Automated)
5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

As per definitions in CIS benchmarks v1 and v2, above rules should be checked/validated, but its not being done.

Required checks :

5.1.8 Ensure cron is restricted to authorized users (Automated) ...

No check for /etc/cron.allow exists or not. No remediation to create such a file.

5.2.4 Ensure SSH access is limited (Automated)

No checks for AllowUsers and AllowGroups parameters in /etc/ssh/sshd_config

5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

Only ClientAliveCount Max is checked, but no such rule for ClientAliveInterval

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:

Scan the system for cis level 1 profile and attempt to remediate

oscap xccdf eval --profile cis_server_l1 --remediate --results-arf /var/tmp/arf-post-level1.xml --report /var/tmp/post-level1-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Steps to Reproduce:
1. Fresh install RHEL 8.8
2. Install openscap-utils and scap-security-guide packages
3. Scan system for CIS level 1 profile.

Actual results:

There are rules/checks corresponding to following checklist in benchmark

5.1.8 Ensure cron is restricted to authorized users (Automated) ...
5.2.4 Ensure SSH access is limited (Automated)
5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

As rules are missing, remediation does not work properly.

Expected results:

Expect checks to be performed for these referred rules.
Additionally, once they are checked, then remediation should be attempted accordingly on these rules.

Additional info:

With above changes, expectation is to have following things checked/created