You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
When remediating any of the Restrict Partition Mount Options the remediation fails in offline mode i.e. xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec. The OVAL checks the /proc/mounts which is unavailable even if the fstab file has been created.
SCAP Security Guide Version:
scap-security-guide-0.1.60-7.el8.noarch
Operating System Version:
RHEl 8.7 & RHEL 9.1
Steps to Reproduce:
Configure a blueprint with moutnpoint options and oscap configuration
Build image with osbuild-composer
Actual Results:
Remediation does not run at all for this since the evaluation result is unknown:
Title
Add nodev Option to /home
Rule
xccdf_org.ssgproject.content_rule_mount_option_home_nodev
Ident
CCE-81048-1
Result
unknown
Expected Results:
Offline remediation of the /etc/fstab file
Additional Information/Debugging Steps:
Logs:
I: oscap: Evaluating definition 'oval:ssg-mount_option_home_nodev:def:1': Add nodev Option to /home.
I: oscap: Evaluating partition test 'oval:ssg-test_home_partition_nodev_optional_yes:tst:1': nodev on /home optional yes.
I: oscap: Querying partition object 'oval:ssg-object_home_partition_nodev_optional_yes:obj:1', flags: 0.
I: oscap: Creating new syschar for partition_object 'oval:ssg-object_home_partition_nodev_optional_yes:obj:1'.
I: oscap: I will run partition_probe_main:
E: oscap: Can't open /proc/mounts: errno=2, No such file or directory.
W: oscap: Can't receive message: 125, Operation canceled.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-test_home_partition_nodev_optional_yes:tst:1' evaluated as (null).
In this case, we don't really have an alternative for the offline check. Maybe these rules will need to be performed in a different way, applying standalone remediations only for example.
evgenyz
added
the
offline
Issues or features of the content related to the OpenSCAP's 'offline' mode
label
Sep 13, 2022
Ok, as I understood, the OVAL check for the mount_option_home_nodev rule, which actually uses the mount_option template, is written in a way that OpenSCAP scanner, during runtime, will use a probe which checks runtime settings by reading the /proc/mounts file.
The /proc/mounts file obviously doesn't exist in a offline system, causing the assessment to fail.
So, the way to check file system mount options in a offline system should use probes which doesn't rely on "pseudo-filesystems". This could be done in OVAL using the textfilecontent54_object, for example. But the runtime check is still valid for online systems. So, based on internal discussions, I agree it makes sense to have a separate rule for offline systems.
Description of problem:
When remediating any of the
Restrict Partition Mount Optionsthe remediation fails in offline mode i.e.xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec. The OVAL checks the/proc/mountswhich is unavailable even if thefstabfile has been created.SCAP Security Guide Version:
scap-security-guide-0.1.60-7.el8.noarch
Operating System Version:
RHEl 8.7 & RHEL 9.1
Steps to Reproduce:
oscapconfigurationosbuild-composerActual Results:
Remediation does not run at all for this since the evaluation result is unknown:
Expected Results:
Offline remediation of the
/etc/fstabfileAdditional Information/Debugging Steps:
Logs:
/etc/fstabfile:The text was updated successfully, but these errors were encountered: