Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation #10901

Closed
vojtapolasek opened this issue Jul 25, 2023 · 11 comments
Closed

Rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation #10901

vojtapolasek opened this issue Jul 25, 2023 · 11 comments
Assignees
@marcusburghardt
Labels
productization-issue Issue found in upstream stabilization process.

Comments

@vojtapolasek
Copy link
Collaborator

Description of problem:

After you perform an installation of RHEL 8 with kickstart for CIS workstation level 2, the rule service_rpcbind_disabled fails during the oscap scan.

SCAP Security Guide Version:

stabilization-v0.1.69 branch as of 2023-07-20

Operating System Version:

RHEL 8

Steps to Reproduce:

  1. perform kickstart installation with kickstart for CIS workstation level 2, choose the "system with GUI" when installing
  2. examine test results provided after the installation

Actual Results:

rule service_rpcbind_disabled is reported as "fail"

Expected Results:

rule service_rpcbind_disabled is reported as "pass"

Additional Information/Debugging Steps:
@vojtapolasek vojtapolasek added the productization-issue Issue found in upstream stabilization process. label Jul 25, 2023
@vojtapolasek vojtapolasek changed the title rule service_rpcbind_disabled is failing after CIS workstaion L2 kickstart installation rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation Jul 25, 2023
@marcusburghardt
Copy link
Member

I don't remember where, but I think this was already discussed in the past. Maybe it is related to a dependency relationship with another package or service?

@vojtapolasek
Copy link
Collaborator Author

@marcusburghardt you are probably right: #10143 might be good to read.

@marcusburghardt
Copy link
Member

Maybe it was "not applicable" during the installation phase. Then fails right after the install. I wonder if it would be properly fixed if a second round of scan / remediation happens after reboot.

@vojtapolasek vojtapolasek changed the title rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation [affects stabilization] rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation Jul 26, 2023
@marcusburghardt marcusburghardt self-assigned this Jul 26, 2023
@marcusburghardt marcusburghardt mentioned this issue Jul 26, 2023
Merged
@marcusburghardt
Copy link
Member

For some reason, the nfs-utils package was included in this rule by this commit: 9676acc
I already proposed a fix for this: #10907

This rule replaced the package_rpcbind_removed rule in CIS profiles for RHEL about six months ago.

However, regardless of the fix I will propose, the rule seems to be working as expected:

  • During the installation, the rpcbind package is installed to satisfy the nfs-utils dependency.
  • Right after the installation, the rpcbind service is not started but is enabled:
systemctl status rpcbind
● rpcbind.service - RPC Bind
   Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:rpcbind(8)
  • It makes the rule to fail after the installation.
  • But after the remediation the service is properly disabled.

It seems another case of rule dependencies which can be solved with a second round of scan/remediation, like reported in this issue: OpenSCAP/openscap#1880

@mildas and @vojtapolasek , could you confirm this case, please?

@vojtapolasek vojtapolasek changed the title [affects stabilization] rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation Rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation Aug 4, 2023
@marcusburghardt
Copy link
Member

Still present in last productization review.

@vojtapolasek
Copy link
Collaborator Author

I can confirm that the problem can be solved by one more remediation after the installation.

@marcusburghardt
Copy link
Member

marcusburghardt commented Aug 11, 2023
edited
Loading

Great. So we can update the waivers and close this issue. I will work on this. Thanks for the confirmation @vojtapolasek

vojtapolasek added a commit to vojtapolasek/contest that referenced this issue Aug 11, 2023
@vojtapolasek
service_rpcbind_disabled fails on rhel8 and cis_ws_l2
fc2d738 
ComplianceAsCode/content#10901
@vojtapolasek vojtapolasek mentioned this issue Aug 11, 2023
Merged
@vojtapolasek
Copy link
Collaborator Author

RHSecurityCompliance/contest#55

mildas pushed a commit to RHSecurityCompliance/contest that referenced this issue Aug 15, 2023
@vojtapolasek @mildas
service_rpcbind_disabled fails on rhel8 and cis_ws_l2
fe2e664 
ComplianceAsCode/content#10901
@vojtapolasek
Copy link
Collaborator Author

vojtapolasek commented Aug 15, 2023
edited
Loading

It manifested also during the latest stabilization with kickstart installation of cis_ws_l1 and cis_ws_l2.

@marcusburghardt
Copy link
Member

RHSecurityCompliance/contest#55 was merged yesterday. It should be good for the next round of tests.

@marcusburghardt
Copy link
Member

It is no longer present in last productization tests. FYI @mildas @comps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusburghardt marcusburghardt

Labels
productization-issue Issue found in upstream stabilization process.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vojtapolasek @marcusburghardt