ComplianceAsCode
USBGuard rules fail after remediation
Description of problem:
Rules service_usbguard_enabled and usbguard_generate_policy fail in the Automatus profile mode in the STIG GUI profile when the Ansible remediations are used.
This problem has been discovered in the downstream test case /CoreOS/scap-security-guide/Sanity/test-profiles-ansible-remediation PCI-DSS, OSPP, STIG_GUI (GUI).
SCAP Security Guide Version:
Current upstream stabilization-v0.1.68 branch as of 2023-06-02 as of HEAD b630293.
Operating System Version:
RHEL 9.2.0
Steps to Reproduce:
- python3 /tmp/tmp.QYu1WHUudB/rpmbuild/BUILD/scap-security-guide-0.1.68/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel9-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel9-xccdf.xml --mode online --remediate-using ansible xccdf_org.ssgproject.content_profile_stig_gui
Actual Results:
Rules not passing after remediation: xccdf_org.ssgproject.content_rule_service_usbguard_enabled - fail xccdf_org.ssgproject.content_rule_usbguard_generate_policy - fail
Expected Results:
all rules are passed or the fail is waived
Additional Information/Debugging Steps:
no
The usbguard_generate_policy rule is also failing in master branch as of 2023-05-03.
I found this error with the Ansible remediation
TASK [Create USBGuard Policy configuration] ************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["usbguard", "generate-policy"], "delta": "0:00:00.006404", "end": "2023-06-03 05:38:29.547814", "msg": "non-zero return code", "rc": 127, "start": "2023-06-03 05:38:29.541410", "stderr": "usbguard: error while loading shared libraries: libusbguard.so.1: cannot open shared object file: Operation not permitted", "stderr_lines": ["usbguard: error while loading shared libraries: libusbguard.so.1: cannot open shared object file: Operation not permitted"], "stdout": "", "stdout_lines": []}
PLAY RECAP *********************************************************************
localhost : ok=3160 changed=510 unreachable=0 failed=1 skipped=1226 rescued=2 ignored=1
In Marcus's case it's the /CoreOS/scap-security-guide/Sanity/ansible-machine-hardening STIG.
I my case (the Automatus profile mode as desribed in the issue description), an error has happened in the Gather the package facts sub-task in the Enable service usbguard task block. The error is fatal, so the Ansible Playbook terminates prematurely. Therefore, it doesn't complete the USBGuard service enablement and it doesn't execute the subseqent tasks at all.
Below I paste a snippet from the log file xccdf_org.ssgproject.content_profile_stig_gui-remediation.verbose.log, but I feel confused by the error messages there.
TASK [Gather the package facts] ************************************************
task path: /tmp/tmp.QYu1WHUudB/logs/profile-custom-2023-06-02-2116/xccdf_org.ssgproject.content_profile_stig_gui.yml: 49907
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
<192.168.122.81> (0, b'/root\n', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\n')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'( umask 77 && mkdir - p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176- 143614565046805 `" && echo ansible-tmp-1685759938.8690522-84176-143614565046805="` echo /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805 `" ) && sleep 0'"'"''
<192.168.122.81> (0, b'ansible-tmp-1685759938.8690522-84176-143614565046805=/root/.ansible/tmp/ansible-tmp-1685759938. 8690522-84176-143614565046805\n', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\n')
Using module file /usr/lib/python3.11/site-packages/ansible/modules/package_facts.py
<192.168.122.81> PUT /root/.ansible/tmp/ansible-local-58027hl5ztvd9/tmpfyhxau1_ TO /root/.ansible/tmp/ansible-tmp- 1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py
<192.168.122.81> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/.ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' '[192.168.122.81]'
<192.168.122.81> (0, b'sftp> put /root/.ansible/tmp/ansible-local-58027hl5ztvd9/tmpfyhxau1_ /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py\n', b'')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'chmod u+x /root/. ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/ /root/.ansible/tmp/ansible-tmp-1685759938.8690522- 84176-143614565046805/AnsiballZ_package_facts.py && sleep 0'"'"''
<192.168.122.81> (0, b'', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\n')
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' -tt 192.168.122.81 '/bin/sh -c '"'"'/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/AnsiballZ_package_facts.py && sleep 0'"'"''
<192.168.122.81> (127, b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\r\n/usr/bin/python3: error while loading shared libraries: libpython3.9.so.1.0: cannot open shared object file: Operation not permitted\r\n', b'Shared connection to 192.168.122.81 closed.\r\n')
<192.168.122.81> Failed to connect to the host via ssh: Shared connection to 192.168.122.81 closed.
<192.168.122.81> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.122.81> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/root/. ssh/ssg_id_ecdsa -o 'ControlPath="/root/.ansible/cp/fa767bfe3a"' 192.168.122.81 '/bin/sh -c '"'"'rm -f -r /root/. ansible/tmp/ansible-tmp-1685759938.8690522-84176-143614565046805/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.122.81> (0, b'', b'flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\n')
fatal: [192.168.122.81]: FAILED! => {
"changed": false,
"module_stderr": "Shared connection to 192.168.122.81 closed.\r\n",
"module_stdout": "flatpak: error while loading shared libraries: libappstream-glib.so.8: cannot open shared object file: Operation not permitted\r\n/usr/bin/python3: error while loading shared libraries: libpython3.9.so.1.0: cannot open shared object file: Operation not permitted\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 127
}
PLAY RECAP *********************************************************************
192.168.122.81 : ok=3228 changed=542 unreachable=0 failed=1 skipped=1151 rescued=2 ignored=1
(it's from the very end of the log file)
Are we touching permissions of shared libraries?
But it's strange it's not 100% reproducible - as /CoreOS/scap-security-guide/Sanity/ansible-machine-hardening STIG ran twice, in one run it failed but in the other one it passed. It seems as it's environment related.
I have reported this as a bug https://bugzilla.redhat.com/show_bug.cgi?id=2215932
The bugzilla was closed with a comment. https://bugzilla.redhat.com/show_bug.cgi?id=2215932#c3
@jan-cerny can you check if the information provided is something relevant to this issue.
So, I suggest to close this issue for now if it is no longer manifesting in last productization tests. Do you agree?
