content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

ubuntu 20.04 and 18.04 error validate service enable and run auditd, rsyslog, cron and systemd-timesyncd

Open rudy500 opened this issue 3 years ago • 8 comments

Description of Problem: reviewing the execution of the review process with XCCDF our recently installed Ubuntu 20.04 and 18.04 servers we identified that the probe_systemdunitproperty validation process fails when trying to validate if the time, audit and rsyslog services.

The services are installed and in a running state, the recommendations were applied as expressed in the manual and in the recommendations (creation of the shell file). We review the file ssg-ubuntu2004-ds-1.2.xml and ssg-ubuntu2004-ds.xml, we identify and repair some errors in the description of the services, however the problem persists, when reviewing the output xml files we identify that the probe_systemdunitproperty process does not is able to retrieve the values for runlevel in these services being that they are in active mode

SCAP Security Guide Version: 0.1.55

Operating System Version: ubuntu 18.04 and ubuntu 20.04

  1. oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-ubuntu2004-xccdf-1.2.xml --xccdf-id scap_org.open-scap_cref_ssg-ubuntu2004-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_standard --oval-results --results /tmp/xccdf-results.xml --results-arf /tmp/arf.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
  2. review rule xccdf_org.ssgproject.content_rule_service_timesyncd_enabled
  3. review oval:ssg-service_ntpd_enabled

Actual Results:

failed and error

Expected Results:

pass and passed

Additional Information / Debugging Steps:

rudy500 avatar Apr 16 '21 00:04 rudy500

Seeing same results as well with Ubuntu 18.04 and 20.04

anothermerge avatar Apr 20 '22 17:04 anothermerge

This also seems to affect Debian 11.

anothermerge avatar May 10 '22 12:05 anothermerge

The name of the service should probably be validated:

https://github.com/ComplianceAsCode/content/blob/3f22075c6c6f073921bf849a56ffbdddbf8f4ab4/linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml#L41-L46

https://github.com/ComplianceAsCode/content/blob/3f22075c6c6f073921bf849a56ffbdddbf8f4ab4/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml#L42-L46

If you can please check the service name and package name for those services in ubuntu18.04 and ubuntu20.04 and then make changes accordingly.

ggbecker avatar Aug 29 '22 12:08 ggbecker

@ggbecker In Ubuntu 18.04/20.04 and Debian 11 the ntp service is called ntp(not ntpd).

The service for cron is cron, and the service for rsyslog is rsyslog.

anothermerge avatar Aug 29 '22 12:08 anothermerge

@dodys maybe those services need the @ubuntu2004 @ubuntu1804 modifiers in the template data. Feel free to implement these.

ggbecker avatar Aug 31 '22 10:08 ggbecker

Thanks, I will take a look at it.

dodys avatar Sep 01 '22 14:09 dodys

I just played with the standard profile on 20.04 and I have doubts:

  1. The standard profile doesn't have service_ntpd_enabled, or any ntp rule for that matter. So why are you even getting results from it?
  2. We don't use service_ntpd_enabled, and instead we use service_ntp_enabled: https://github.com/ComplianceAsCode/content/blob/3f22075c6c6f073921bf849a56ffbdddbf8f4ab4/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml#L39-L42 You can see it being used in cis_level1_server.profile for example.
  3. I also don't see issues with service_timesyncd_enabled. That's the correct service name and the rule passes for me. Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)

I didn't try on 18.04, but I believe it will be just the same, as the service name is correct and service_ntpd_enabled is not in the standard profile.

dodys avatar Sep 14 '22 11:09 dodys

This also seems to affect Debian 11.

If you see issues with Debian 11, feel free to propose fixes. But so far I think it will fall to the same as described above and the debian 11 standard profile does use the service_ntp_enabled which has the correct service name

dodys avatar Sep 14 '22 11:09 dodys

Sorry, just now coming back to this. We disabled the checks on the Ubuntu systems because it was failing. I have to turn them back on to test those. But looking at the Debian 11 ones(which the customization doesn't work on, so we can't disable those checks or any others...). I see it claiming that the rsyslog, cron, and ntp services are all a fail. The remedy is to turn them on with systemctl, but I verified that they are both running and enabled to run in systemd. I'm not sure where the breakdown happens, I think you are correct that it isn't a service name mismatch, but something is not working right.

anothermerge avatar Nov 17 '22 14:11 anothermerge

Just an update, I was apparently using the OVAL 5.10 files before. Now with the latest update, I am using the correct ones(Guessing OVAL 5.11 or something?) and these checks work as expected. I do still have an issue with Debian not respecting the tailoring file, but I can open another ticket for that.

Thanks

anothermerge avatar Dec 13 '22 17:12 anothermerge

I'm closing this issue then. If you find any new issues, please open a new ticket and add more information to help investigate. Thanks!

dodys avatar Dec 16 '22 19:12 dodys