content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Test nullok_commented.pass.sh fails

Open jan-cerny opened this issue 3 years ago • 2 comments

Description of problem:

Test nullok_commented.pass.sh fails in Automatúš's combined mode with OSPP and PCI-DSS profiles on RHEL 7. It fails both Ansible and Bash remediation runs.

SCAP Security Guide Version:

current upstream as of 2022-08-06 as of HEAD https://github.com/ComplianceAsCode/content/commit/61b8f59e05e7a63267e22f3a44ff2b98de822ec0

Operating System Version:

RHEL 7.9

Steps to Reproduce:

Bash:

  1. python3 /tmp/tmp.xjsP60lIan/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py combined --slice 2 3 --libvirt qemu:///system test_suite_vm --datastream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml --mode online --remediate-using bash --duplicate-templates --no-reports xccdf_org.ssgproject.content_profile_ospp

Ansible:

  1. python3 /tmp/tmp.xjsP60lIan/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py combined --slice 2 3 --libvirt qemu:///system test_suite_vm --datastream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml --mode online --remediate-using ansible --duplicate-templates --no-reports xccdf_org.ssgproject.content_profile_ospp

Also, you can reproduce this with the xccdf_org.ssgproject.content_profile_pci-dss profile, again with both Bash and Ansible.

Moreover, The same "Actual results" have been encountered in rule mode: python3 /tmp/tmp.4e4scJ7C6v/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py rule --libvirt qemu:///system test_suite_vm --datastream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml --mode online --remediate-using bash --duplicate-templates --no-reports audit_rules_privileged_commands selinux_all_devicefiles_labeled mount_option_nodev_removable_partitions mount_option_noexec_removable_partitions mount_option_nosuid_removable_partitions selinux_policytype sshd_set_idle_timeout use_pam_wheel_for_su grub2_admin_username grub2_uefi_password selinux_state sshd_rekey_limit kernel_trust_cpu_rng package_rsyslog_installed gnome_gdm_disable_xdmcp auditd_audispd_syslog_plugin_activated no_shelllogin_for_systemaccounts ensure_redhat_gpgkey_installed accounts_user_interactive_home_directory_exists file_groupownership_home_directories file_permissions_home_directories chronyd_or_ntpd_set_maxpoll file_permissions_sshd_private_key accounts_passwords_pam_faillock_deny accounts_passwords_pam_faillock_deny_root accounts_passwords_pam_faillock_interval accounts_passwords_pam_faillock_unlock_time accounts_password_pam_unix_remember no_empty_passwords display_login_attempts accounts_password_pam_pwhistory_remember_system_auth accounts_password_pam_pwhistory_remember_password_auth configure_firewalld_rate_limiting file_ownership_home_directories

Actual Results:

...
INFO - xccdf_org.ssgproject.content_rule_no_empty_passwords
INFO - Script no_nullok.pass.sh using profile (all) OK
ERROR - Script nullok_commented.pass.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'.
INFO - Script nullok_present.fail.sh using profile (all) OK
INFO - Script nullok_present_password_auth.fail.sh using profile (all) OK
...

Expected Results:

test scenarios pass

Additional Information/Debugging Steps:

Also, check this if it is related: https://github.com/ComplianceAsCode/content/issues/9313

jan-cerny avatar Aug 09 '22 11:08 jan-cerny

You can simplify it and reproduce it also locally. I used current upstream as of HEAD 6d3b9eacc390af0a29ed93fa9fd1e073beaadcf6:

[jcerny@thinkpad scap-security-guide{master}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 no_empty_passwords
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-09-1704/test_suite.log
WARNING - Script authselect_modified_pam.fail.sh is not applicable on given platform
WARNING - Script authselect_nullok_absent.pass.sh is not applicable on given platform
WARNING - Script authselect_nullok_present.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_no_empty_passwords
INFO - Script no_nullok.pass.sh using profile (all) OK
ERROR - Script nullok_commented.pass.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'.
INFO - Script nullok_present.fail.sh using profile (all) OK
INFO - Script nullok_present_password_auth.fail.sh using profile (all) OK

jan-cerny avatar Aug 09 '22 15:08 jan-cerny

It can be related to the fact that on a RHEL 7 the files are a symlink:

[root@ci-vm-10-0-138-57 ~]# ls -al /etc/pam.d/system-auth
lrwxrwxrwx. 1 root root 14 Jun  8 04:29 /etc/pam.d/system-auth -> system-auth-ac
[root@ci-vm-10-0-138-57 ~]# ls -al /etc/pam.d/password-auth
lrwxrwxrwx. 1 root root 16 Jun  8 04:29 /etc/pam.d/password-auth -> password-auth-ac

jan-cerny avatar Aug 09 '22 15:08 jan-cerny