Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Workstation L2 profile produces unexpected notapplicable results #10896

Closed
jan-cerny opened this issue Jul 24, 2023 · 7 comments
Closed

CIS Workstation L2 profile produces unexpected notapplicable results #10896

jan-cerny opened this issue Jul 24, 2023 · 7 comments
Assignees
@marcusburghardt
Labels
CIS CIS Benchmark related. RHEL8 Red Hat Enterprise Linux 8 product related.

Comments

@jan-cerny
Copy link
Collaborator

Description of problem:

During review of the productization test run we have found that in test /CoreOS/scap-security-guide/Sanity/ssg-kickstarts for CIS Workstation Level 2 (GUI) some rules return unexpected notapplicable results.

SCAP Security Guide Version:

current upstream master branch as of 2023-07-21 as of HEAD a96ccb9

Operating System Version:

RHEL 8

Steps to Reproduce:

  1. performed kickstart installation of the cis_workstation_l2 profile and run a scan afterwards

Actual Results:

There are unexpected "notapplicable" results:
xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg - notapplicable
xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg - notapplicable
xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg - notapplicable
xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg - notapplicable
xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg - notapplicable
xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg - notapplicable
xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule - notapplicable
xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled - notapplicable

Expected Results:

No unexpected notapplicable results.

Additional Information/Debugging Steps:

No
@jan-cerny jan-cerny added productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. labels Jul 24, 2023
@marcusburghardt
Copy link
Member

Regarding the xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule - notapplicable this should be the relevant commit: 7172933
There is discussion related to this also in this PR: #10812

The other rules seem to be expected. Is the test VM in fact using uefi?

@teacup-on-rockingchair
Copy link
Contributor

Regarding the xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule - notapplicable this should be the relevant commit: 7172933 There is discussion related to this also in this PR: #10812

The other rules seem to be expected. Is the test VM in fact using uefi?

I would argue that the set_ip6tables_default_rule is also normal to be not applicable if the system is using nftables or ufw and not using iptables as the platform limitation suggests not package[nftables] and not package[ufw] and package[iptables] what is the configuration on the system that you see those results regarding firewall modules?

Merged
@marcusburghardt marcusburghardt self-assigned this Aug 21, 2023
@marcusburghardt
Copy link
Member

marcusburghardt commented Aug 21, 2023
edited
Loading

I will analyze each case of this issue.

@mildas
Copy link
Contributor

mildas commented Aug 21, 2023

notapplicable results are not causing productization failure and thus it's not productization issue.

@marcusburghardt In case any of the notapplicable results is not expected, please create separate issue for every such rule. Then close this issue, to not discuss several different rules in one issue. That wouldn't be transparentj. Thank you

@mildas mildas removed the productization-issue Issue found in upstream stabilization process. label Aug 21, 2023
@marcusburghardt
Copy link
Member

I confirmed all efi related rules are working as expected. They result as notapplicable when the system indeed does not use UEFI.

I manually tested the rule in a system using UEFI and it worked as expected:

sudo oscap xccdf eval --profile ospp --rule xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 
--- Starting Evaluation ---

Title   Verify the UEFI Boot Loader grub.cfg Group Ownership
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
Result  pass

From the description, now only these two rules are pending investigation:

  • xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule - notapplicable
  • xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled - notapplicable

@marcusburghardt
Copy link
Member

postfix_network_listening_disabled is also working as expected:

# rpm -q postfix
package postfix is not installed

# oscap xccdf eval --profile ospp --rule xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
--- Starting Evaluation ---

Title   Disable Postfix Network Listening
Rule    xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Ident   CCE-82174-4
Result  notapplicable

# dnf install -y postfix
...

# oscap xccdf eval --profile ospp --rule xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 

--- Starting Evaluation ---

Title   Disable Postfix Network Listening
Rule    xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Ident   CCE-82174-4
Result  pass

@marcusburghardt marcusburghardt mentioned this issue Sep 7, 2023
Open
@marcusburghardt
Copy link
Member

There are some issues with the ip6tables_default_rule rule and a new specific issue was created: #11054

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusburghardt marcusburghardt

Labels
CIS CIS Benchmark related. RHEL8 Red Hat Enterprise Linux 8 product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@teacup-on-rockingchair @marcusburghardt @jan-cerny @mildas