Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCAP scan fails for RHEL-07-040160 (TMOUT) #397

Closed
danbarr opened this issue Jan 12, 2022 · 1 comment · Fixed by #399
Closed

SCAP scan fails for RHEL-07-040160 (TMOUT) #397

danbarr opened this issue Jan 12, 2022 · 1 comment · Fixed by #399
Assignees
@uk-bolly
Labels
bug

Comments

@danbarr
Copy link
Contributor

danbarr commented Jan 12, 2022
edited
Loading

Describe the Issue
A SCAP scan fails on STIG ID RHEL-07-040160. The issue is that the STIG check text looks specifically for the syntax declare -xr TMOUT=900 in /etc/profile.d/tmout.sh, but the task doesn't use "declare", instead it sets the variable then uses readonly and export separately.

The end result is functional / as intended, just doesn't match the check in the DISA SCAP file for v3r5.

Expected Behavior
Rule should pass a scan.

Actual Behavior
Rule fails the scan because the expected syntax is not found.

Environment
Scanned using SCC 5.4.2 using U_RHEL_7_V3R5_STIG_SCAP_1-2_Benchmark.xml

Control(s) Affected
RHEL-07-040160

Possible Solution
Update fix-cat2.yml:

RHEL7-STIG/tasks/fix-cat2.yml

Lines 2806 to 2810 in 7eb9d55

block: |
# Set session timeout - STIG ID RHEL-07-040160
TMOUT={{ rhel7stig_shell_session_timeout.timeout }}
readonly TMOUT
export TMOUT

With:

      block: |
        # Set session timeout - STIG ID RHEL-07-040160
        declare -xr TMOUT={{ rhel7stig_shell_session_timeout.timeout }}
@danbarr danbarr added the bug label Jan 12, 2022
uk-bolly added a commit that referenced this issue Jan 25, 2022
@uk-bolly
#397 updated thanks to danbarr
ade2b18 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Copy link
Member

hi @danbarr

Thanks as always for the feedback and #398 , as you know feedback and details like these help immensely to improve these benchmarks.

Should be merged by the end of the month.

uk-bolly

@uk-bolly uk-bolly self-assigned this Jan 25, 2022
@uk-bolly uk-bolly mentioned this issue Jan 25, 2022
Merged
@uk-bolly uk-bolly linked a pull request Jan 25, 2022 that will close this issue
Jan issues and improvements #399
Merged
georgenalen added a commit that referenced this issue Mar 2, 2022
@georgenalen
Merge pull request #402 from ansible-lockdown/devel
81b2deb 
* Issue #397 updated thanks to danbarr

* Issue #398 updated thanks to danbarr

* STIG Benchmark version 3 release 6 updates

* added UID facts

* added tags to uid facts

* added auditd handlers

* auditd now template

* added collections requirements

* Issue #400 updated thanks to danbarr

* added missing deps

* tidyup layout

* updated workflows

* updates to pipelines

* added tag to audit

* updated tags

* updated README layout and added join us

* updated Discord reference in README

* updated pipeline info in README

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Jan issues and improvements ansible-lockdown/RHEL7-STIG
2 participants
@danbarr @uk-bolly