Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.9.0
Component/s: scap-security-guide
Labels:
- MigratedToJIRA
- Triaged

Severity:
Major

Pool Team:

sst_security_compliance
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Known Issue
Release Note Text:

Hide
.ANSSI BP28 HP SCAP rules for Audit are incorrectly used on the 64-bit ARM architecture

The ANSSI BP28 High profile in the SCAP Security Guide (SSG) contains the following security content automation protocol (SCAP) rules that configure the Linux Audit subsystem but are invalid on the 64-bit ARM architecture:

* `audit_rules_unsuccessful_file_modification_creat`
* `audit_rules_unsuccessful_file_modification_open`
* `audit_rules_file_deletion_events_rename`
* `audit_rules_file_deletion_events_rmdir`
* `audit_rules_file_deletion_events_unlink`
* `audit_rules_dac_modification_chmod`
* `audit_rules_dac_modification_chown`
* `audit_rules_dac_modification_lchown`

If you configure your RHEL system running on a 64-bit ARM machine by using this profile, the Audit daemon does not start due to the use of invalid system calls.

To work around the problem, either use profile tailoring to remove the previously mentioned rules from the data stream or remove the `-S <syscall>` snippets by editing files in the `/etc/audit/rules.d` directory. The files must not contain the following system calls:

* creat
* open
* rename
* rmdir
* unlink
* chmod
* chown
* lchown

As a result of any of the two described workarounds, the Audit daemon can start even after you use the ANSSI BP28 High profile on a 64-bit ARM system.

Show
.ANSSI BP28 HP SCAP rules for Audit are incorrectly used on the 64-bit ARM architecture The ANSSI BP28 High profile in the SCAP Security Guide (SSG) contains the following security content automation protocol (SCAP) rules that configure the Linux Audit subsystem but are invalid on the 64-bit ARM architecture: * `audit_rules_unsuccessful_file_modification_creat` * `audit_rules_unsuccessful_file_modification_open` * `audit_rules_file_deletion_events_rename` * `audit_rules_file_deletion_events_rmdir` * `audit_rules_file_deletion_events_unlink` * `audit_rules_dac_modification_chmod` * `audit_rules_dac_modification_chown` * `audit_rules_dac_modification_lchown` If you configure your RHEL system running on a 64-bit ARM machine by using this profile, the Audit daemon does not start due to the use of invalid system calls. To work around the problem, either use profile tailoring to remove the previously mentioned rules from the data stream or remove the `-S <syscall>` snippets by editing files in the `/etc/audit/rules.d` directory. The files must not contain the following system calls: * creat * open * rename * rmdir * unlink * chmod * chown * lchown As a result of any of the two described workarounds, the Audit daemon can start even after you use the ANSSI BP28 High profile on a 64-bit ARM system.
Release Note Status:
Done

Experience:
Architecture:

aarch64
Bugzilla Bug:
RHBZ: 2232607

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
anssi_bp28_high profile's audit rules are invalid on aarch64 architecture.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.69-1.el8

How reproducible:
deterministic

Steps to Reproduce:
1. Remediate installed system using ANSSI High profile:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_bp28_high --progress --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
2. Examine auditd service status

Actual results:

systemctl status -l auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-08-17 09:43:05 EDT; 8min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 769 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
Process: 759 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 766 (auditd)
Tasks: 2 (limit: 8799)
Memory: 7.6M
CGroup: /system.slice/auditd.service
└─766 /sbin/auditd

Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com systemd[1]: Starting Security Auditing Service...
Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: No plugins found, not dispatching events
Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: Init complete, auditd 3.0.7 listening for events (startup state enable)
Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: Syscall name unknown: creat
Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: There was an error in line 7 of /etc/audit/audit.rules
====

augenrules --load
Syscall name unknown: creat
There was an error in line 7 of /etc/audit/audit.rules
====

head -n7 /etc/audit/audit.rules
1. This file is automatically generated from /etc/audit/rules.d
  -D

-w /etc/selinux/ -p wa -k MAC-policy
-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
====

Even after removing the offending line there are still other errors so audit rules on aarch64 architecture need to be revisited and fixed.

Expected results:
`augenrules --load` successfully loads all configured audit rules.

Additional info:

blocks

RHEL-1896 anssi_bp28_high profile's audit rules are invalid on aarch64 architecture

Planning

external trackers

PnT-DevOps Jira RHELPLAN-157198

Red Hat Issue Tracker RHELPLAN-166048

TCMS Test Case 615460

Details

Description

Attachments

Issue Links

Activity

People

Dates