Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

accounts_umask_etc_bashrc is misaligned with RHEL 9 STIG #11937

Closed
vojtapolasek opened this issue May 3, 2024 · 4 comments · Fixed by #11946
Closed

accounts_umask_etc_bashrc is misaligned with RHEL 9 STIG #11937

vojtapolasek opened this issue May 3, 2024 · 4 comments · Fixed by #11946
Assignees
@jan-cerny
Labels
productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Milestone
0.1.73

Comments

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented May 3, 2024
edited
Loading

Description of problem:

The rule accounts_umask_etc_bashrc is misaligned with its DISA counterpart.
The STIG is https://stigaview.com/products/rhel9/v1r3/RHEL-09-412055/
After remediating RHEL 9 with STIG Ansible playbook provided by the content repo and then using oscap to perform scan, the rule from the content repo is reported as "pass", while the rule within the SCAP file provided by DISA is reported as "fail".
The rule ID in the DISA file is xccdf_mil.disa.stig_rule_SV-258072r926203_rule.

SCAP Security Guide Version:

stabilization-v0.1.73, commit 0b096bc

External Content's Version:

DISA SCAP version is v1r1.
@vojtapolasek vojtapolasek added productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels May 3, 2024
@vojtapolasek vojtapolasek added this to the 0.1.73 milestone May 3, 2024
@jan-cerny
Copy link
Collaborator

We had a similar issue lately: #11700 and it's marked as fixed by #11822.

@jan-cerny
Copy link
Collaborator

I have found in the test logs in the ARF results that the Playbook creates this:

    [ `umask` -eq 0 ] && umask 027022

and the OVAL check accepts this as to pass the rule.

@vojtapolasek
Copy link
Collaborator Author

Wow, that does not look like valid command, especially the second umask, right?

@jan-cerny jan-cerny self-assigned this May 6, 2024
@jan-cerny
Copy link
Collaborator

yes, you're correct, the umask here isn't valid, there should be just three digits after the umask

jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue May 6, 2024
@jan-cerny
Fix accounts_umask_etc_bashrc
a7f55a7 
Fix accounts_umask_etc_bashrc content misalignment with RHEL 9 DISA STIG.

- Only valid umask values (3-digits) will match in OVAL
- Do not concatenate original value with the new value in Ansible
  remediation
- Add a regression test for ComplianceAsCode#11937
- Fix bash quoting in test scenario

Fixes: ComplianceAsCode#11937
@jan-cerny jan-cerny mentioned this issue May 6, 2024
Merged
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue May 7, 2024
@jan-cerny
Fix accounts_umask_etc_bashrc
f743af3 
Fix accounts_umask_etc_bashrc content misalignment with RHEL 9 DISA STIG.

- Only valid umask values (3-digits) will match in OVAL
- Do not concatenate original value with the new value in Ansible
  remediation
- Add a regression test for ComplianceAsCode#11937
- Fix bash quoting in test scenario

Fixes: ComplianceAsCode#11937
@jan-cerny jan-cerny mentioned this issue May 7, 2024
Merged
jan-cerny added a commit to jan-cerny/contest that referenced this issue May 7, 2024
@jan-cerny
Remove waiver for accounts_umask_etc_bashrc
1cdfba1 
The issue ComplianceAsCode/content#11937
has been fixed by
ComplianceAsCode/content#11946.
@jan-cerny jan-cerny mentioned this issue May 7, 2024
Merged
jan-cerny added a commit to jan-cerny/contest that referenced this issue May 9, 2024
@jan-cerny
Remove waiver for accounts_umask_etc_bashrc
fb61428 
The issue ComplianceAsCode/content#11937
has been fixed by
ComplianceAsCode/content#11946.
comps pushed a commit to RHSecurityCompliance/contest that referenced this issue May 9, 2024
@jan-cerny @comps
Remove waiver for accounts_umask_etc_bashrc
d46b913 
The issue ComplianceAsCode/content#11937
has been fixed by
ComplianceAsCode/content#11946.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging a pull request may close this issue.

Fix accounts_umask_etc_bashrc jan-cerny/scap-security-guide
2 participants
@vojtapolasek @jan-cerny