Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule configure_bashrc_tmux is misaligned with DISA #9309

Closed
jan-cerny opened this issue Aug 8, 2022 · 5 comments · Fixed by #10472
Closed

Rule configure_bashrc_tmux is misaligned with DISA #9309

jan-cerny opened this issue Aug 8, 2022 · 5 comments · Fixed by #10472
Assignees
@vojtapolasek
Labels
blocked Issue that can't be fixed in content. productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related.

Comments

@jan-cerny
Copy link
Collaborator

jan-cerny commented Aug 8, 2022
edited by yuumasato
Loading

Description of problem:

Rule xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux is misaligned with rule xccdf_mil.disa.stig_rule_SV-230349r833388_rule from the DISA content in disa-stig-rhel8-v1r6-xccdf-scap.xml.

SCAP Security Guide Version:

current upstream as of 2022-08-06 as of HEAD 61b8f59

Operating System Version:

RHEL 8

Steps to Reproduce:

  1. evaluate RHEL 8 STIG profile
  2. evaluate disa-stig-rhel8-v1r6-xccdf-scap.xml

Actual Results:

xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux: pass
xccdf_mil.disa.stig_rule_SV-230349r833388_rule: fail

Expected Results:

both rules are same

Additional Information/Debugging Steps:

This problem occurs also with the "STIG with GUI" profile.

Update:

As of RHEL8 STIG V1R9 (automated content V1R8), we moved from configure_bashrc_exec_tmux to configure_bashrc_tmux which stopped invoking tmux witn exec.
But the same typo misalignment on (sshd|login) still persists.
@jan-cerny jan-cerny added the productization-issue Issue found in upstream stabilization process. label Aug 8, 2022
@ggbecker
Copy link
Member

ggbecker commented Aug 8, 2022

If I'm not mistaken there was an issue on DISA's SCAP content:

          <path>/etc/profile.d</path>
          <filename operation="pattern match">\.sh$</filename>
          <pattern operation="pattern match">^\s*if\s+\[\s*"\$PS1"\s*\];\s+then\s+parent=\$\(ps\s+-o\s+ppid=\s+-p\s+\$\$\)\s+name=\$\(ps\s+-o\s+comm=\s+-p\s+\$parent\)\s+case\s+"\$name"\s+in\s+\(sshd\|login\)\s+exec\s+tmux\s+;;\s+esac\s+fi\s*$</pattern>
          <instance datatype="int" operation="greater than or equal">1</instance>

 --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
index 1bd2fb7b65..98824cca23 100644
--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
+++ b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
@@ -15843,7 +15843,7 @@ The sysctl --system command will load settings from all system configuration fil
         <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19400" version="7">
           <path>/etc/profile.d</path>
           <filename operation="pattern match">\.sh$</filename>
-          <pattern operation="pattern match">^\s*if\s+\[\s*"\$PS1"\s*\];\s+then\s+parent=\$\(ps\s+-o\s+ppid=\s+-p\s+\$\$\)\s+name=\$\(ps\s+-o\s+comm=\s+-p\s+\$parent\)\s+case\s+"\$name"\s+in\s+\(sshd\|login\)\s+exec\s+tmux\s+;;\s+esac\s+fi\s*$</pattern>
+          <pattern operation="pattern match">^\s*if\s+\[\s*"\$PS1"\s*\];\s+then\s+parent=\$\(ps\s+-o\s+ppid=\s+-p\s+\$\$\)\s+name=\$\(ps\s+-o\s+comm=\s+-p\s+\$parent\)\s+case\s+"\$name"\s+in\s+sshd\|login\)\s+exec\s+tmux\s+;;\s+esac\s+fi\s*$</pattern>
           <instance datatype="int" operation="greater than or equal">1</instance>
         </textfilecontent54_object>
         <process58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:19401" version="2">

RHEL-08-020041 (SV-230349r810020_rule)
There is a syntax error in the bash switch case, there should not be an opening parenthesis.

We have sent them a request to fix this.

@jan-cerny jan-cerny added the RHEL8 Red Hat Enterprise Linux 8 product related. label Aug 9, 2022
@ggbecker ggbecker added the blocked Issue that can't be fixed in content. label Sep 16, 2022
@ggbecker
Copy link
Member

This issue can't be fixed on our side, DISA needs to update their content.

@yuumasato
Copy link
Member

A patch for this was already sent their way a few months ago...

@vojtapolasek vojtapolasek self-assigned this Jan 23, 2023
@yuumasato
Copy link
Member

As of disa-stig-rhel8-v1r8-xccdf-scap.xml, this has not been fixed yet.

@yuumasato
Copy link
Member

As part of the V1R9 STIG update, RHEL-08-020041 now uses configure_bashrc_tmux, but the typo in DISA's automated content persists.
Ref: #10100

@yuumasato yuumasato changed the title Rule configure_bashrc_exec_tmux is misaligned with DISA Rule configure_bashrc_tmux is misaligned with DISA Jan 30, 2023
@ggbecker ggbecker mentioned this issue Apr 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vojtapolasek vojtapolasek

Labels
blocked Issue that can't be fixed in content. productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use opening parenthesis in the switch case condition of RHEL-08-020041 ggbecker/content
4 participants
@vojtapolasek @yuumasato @jan-cerny @ggbecker