-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-8.8.0
-
None
-
Moderate
-
rhel-sst-security-compliance
-
ssg_security
-
26
-
None
-
False
-
-
No
-
None
-
-
Pass
-
None
-
-
x86_64
-
None
Description of problem:
The SCAP check xccdf_org.ssgproject.content_rule_sudo_custom_logfile is failing on the correctly working sudo configuration that defines the logfile:
Snippet from /etc/sudoers
~~~
Defaults logfile = /var/log/sudo
Defaults loglinelen = 0
~~~
The problem is the missing whitespace handling before and after the '='. This is clearly visible in the Pattern used: '^[\s]Defaults[\s]\blogfile=("(?:\\"|\\\\|[^"\\\n])"\B|[^"](??:\\,|\\"|
|\\\\|[^", \\\n]))\b).*$' that has no whitespace pattern before and after the '=' character
Bug is still present in the latest 0.1.69 version freshly released a few hours ago for 8.6-EUS.
How Reproducible:
reproducer is to add the snippet above to /etc/sudoers and run the CIS-L1 scap check and notice that the sudo logfile rule is failing
Version-Release number of selected component (if applicable):
Package - openscap-1.3.8-1.el8_6.x86_64.rpm
Actual results:
Incorrect security reporting for a valid configuration causing leading to discussions why the rule failed.
Additional info:
Spending time to open this case and follow-ups in answering question in the case
- external trackers
- links to
-
RHBA-2024:128049 scap-security-guide bug fix and enhancement update
- mentioned on