Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1489

incorrect remediation description for xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading in xccdf_org.ssgproject.content_profile_ism_o

XMLWordPrintable

    • None
    • None
    • sst_security_compliance
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      In the ISM openscap benchmark xccdf_org.ssgproject.content_profile_ism_o, the rule "Ensure auditd Collects Information on Kernel Module Loading and Unloading" (xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading) describes the remediation as:

      ~~~
      -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
      ~~~

      This is incorrect, the actual remediation is:

      ~~~
      -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
      -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
      ~~~

      Note, --remediate option correctly implements the fix. This is an error for the report generated.

      Version-Release number of selected component (if applicable):
      scap-security-guide-0.1.66-1.el9_1

      How reproducible:
      Always.

      Steps to Reproduce:
      1. Run a security scan
      ~~~
      sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ism_o --report ~/scan-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
      ~~~

      2. Open up 'scan-report.html', click on the link 'Record Information on Kernel Modules Loading and Unloading 1x fail'

      Actual results:

      ~~~
      Description

      To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
      -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules

      The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
      ~~~

      Expected results:

      Something similar to,

      ~~~
      Description

      To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
      -a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
      -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules

      The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
      ~~~

            vpolasek@redhat.com Vojtech Polasek
            rhn-support-dareynol Daniel Reynolds
            Vojtech Polasek Vojtech Polasek
            Milan Lysonek Milan Lysonek
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: