Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-63062

Remediation scripts for xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled fail

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • scap-security-guide
    • None
    • No
    • None
    • rhel-sst-security-compliance
    • ssg_security
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

       

      oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

       

      What is the impact of this issue to you?

      Getting systems into compliance for this rule requires manual intervention to set the correct firewalld rules.

      Please provide the package NVR for which the bug is seen:

      scap-security-guide-0.1.74-1.el9_4.noarch

      openscap-1.3.10-2.el9_3.x86_64

      How reproducible is this bug?:

      Every time remediation is attempted for this rule. 

      Steps to reproduce

      1. Set up a RHEL 9 system with sshd not allowed in all the zones
      2. Scan the system and attempt to remediate: 
      3. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rul
        e_firewalld_sshd_port_enabled --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

      Remediation fails with an error and no explanation why: 

       

      --- Starting Evaluation --- 

Title   Enable SSH Server firewalld Firewall Exception 
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled 
Ident   CCE-89175-4 
Result  fail 

--- Starting Remediation --- 

Title   Enable SSH Server firewalld Firewall Exception 
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled 
Ident   CCE-89175-4 
Result  error

       

      Expected results

      Remediation should succeed and enable sshd in the firewall rules

      Actual results

      Remediation fails with an error

      When creating an html report from this scan it's still not clear to me why this is failing. I ran an strace against the process and it seems that it fails because it expects a file where there is a directory (which was created earlier in the process):

       

      From strace:

$ strace -Tttvfs 256 -o /tmp/strace-stig.out oscap xccdf e
val --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_r
ule_firewalld_sshd_port_enabled --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

I see this:

16420 07:15:02.985041 mkdir("/tmp/oscap.IeKthd", 0700) = 0 <0.000120>
16420 07:15:02.985241 readlink("/tmp", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000034>
16420 07:15:02.985356 readlink("/tmp/oscap.IeKthd", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000026>
16420 07:15:02.985449 readlink("/tmp/oscap.IeKthd/ssg-rhel9-oval.xml.result.xml", 0x7ffd6d8206d0, 1023) = -1 ENOENT (No such file or directory) <0.000035>
16420 07:15:02.985552 readlink("/tmp", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000033>
16420 07:15:02.985667 readlink("/tmp/oscap.IeKthd", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000034>
16420 07:15:03.206495 readlink("/tmp", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000073>
16420 07:15:03.206777 readlink("/tmp/oscap.IeKthd", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000046>
16420 07:15:03.206897 readlink("/tmp/oscap.IeKthd/ssg-rhel9-cpe-oval.xml.result.xml", 0x7ffd6d8206d0, 1023) = -1 ENOENT (No such file or directory) <0.000042>
16420 07:15:03.207003 readlink("/tmp", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000027>
16420 07:15:03.207102 readlink("/tmp/oscap.IeKthd", 0x7ffd6d8206d0, 1023) = -1 EINVAL (Invalid argument) <0.000025>
16420 07:15:03.212096 openat(AT_FDCWD, "/tmp/oscap.IeKthd/ssg-rhel9-cpe-oval.xml.result.xml", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 <0.000164>
...
16420 07:15:14.238677 unlink("/tmp/oscap.IeKthd/ssg-rhel9-cpe-oval.xml.result.xml") = 0 <0.000097>
16420 07:15:14.238833 newfstatat(4, "ssg-rhel9-oval.xml.result.xml", {st_dev=makedev(0xfd, 0), st_ino=219119, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=13048, st_size=6680560, st_atime=1729253703 /* 2024-10-18T07:15:03.217927212-0500 */, st_atime_nsec=217927212, st_mtime=1729253703 /* 2024-10-18T07:15:03.443926896-0500 */, st_mtime_nsec=443926896, st_ctime=1729253703 /* 2024-10-18T07:15:03.443926896-0500 */, st_ctime_nsec=443926896}, AT_SYMLINK_NOFOLLOW) = 0 <0.000028>
16420 07:15:14.238945 unlink("/tmp/oscap.IeKthd/ssg-rhel9-oval.xml.result.xml") = 0 <0.000513>
16420 07:15:14.239539 getdents64(4, [], 32768) = 0 <0.000028>
16420 07:15:14.239618 close(4)          = 0 <0.000027>
16420 07:15:14.239702 unlink("/tmp/oscap.IeKthd") = -1 EISDIR (Is a directory) <0.000027>
16420 07:15:14.239788 rmdir("/tmp/oscap.IeKthd") = 0 <0.000066>
16420 07:15:14.240940 exit_group(2)     = ?
16420 07:15:14.257234 +++ exited with 2 +++

       

       

        1. report.html
          254 kB
        2. strace-stig.out
          12.40 MB

              vpolasek@redhat.com Vojtech Polasek
              rhn-support-lagordon Kaitlin Gordon (Inactive)
              Vojtech Polasek Vojtech Polasek
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: