-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-8.8.0
-
None
-
Critical
-
rhel-sst-security-compliance
-
ssg_security
-
26
-
None
-
False
-
-
No
-
None
-
Pass
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
When system is scanned and remediated as per CIS Level 1 on RHEL 8.8, following checks/rules are not performed and hence not remediated.
5.1.8 Ensure cron is restricted to authorized users (Automated) ...
5.2.4 Ensure SSH access is limited (Automated)
5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)
As per definitions in CIS benchmarks v1 and v2, above rules should be checked/validated, but its not being done.
Required checks :
5.1.8 Ensure cron is restricted to authorized users (Automated) ...
- No check for /etc/cron.allow exists or not. No remediation to create such a file.
5.2.4 Ensure SSH access is limited (Automated)
- No checks for AllowUsers and AllowGroups parameters in /etc/ssh/sshd_config
5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)
- Only ClientAliveCount Max is checked, but no such rule for ClientAliveInterval
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-2.el8_7.noarch
How reproducible:
Scan the system for cis level 1 profile and attempt to remediate
- oscap xccdf eval --profile cis_server_l1 --remediate --results-arf /var/tmp/arf-post-level1.xml --report /var/tmp/post-level1-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Steps to Reproduce:
1. Fresh install RHEL 8.8
2. Install openscap-utils and scap-security-guide packages
3. Scan system for CIS level 1 profile.
Actual results:
- There are rules/checks corresponding to following checklist in benchmark
5.1.8 Ensure cron is restricted to authorized users (Automated) ...
5.2.4 Ensure SSH access is limited (Automated)
5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)
- As rules are missing, remediation does not work properly.
Expected results:
- Expect checks to be performed for these referred rules.
- Additionally, once they are checked, then remediation should be attempted accordingly on these rules.
Additional info:
With above changes, expectation is to have following things checked/created
- /etc/cron.allow file
- AllowUsers and AllowGroups in /etc/ssh/sshd_config
- ClientAliveInterval in /etc/ssh/sshd_config
- external trackers
- links to
-
RHBA-2024:128049 scap-security-guide bug fix and enhancement update
- mentioned on