content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule sysctl_net_ipv4_conf_all_forwarding fails after Ansible remediation

Open jan-cerny opened this issue 3 years ago • 9 comments

Description of problem:

Rule sysctl_net_ipv4_conf_all_forwarding fails after Ansible remediation in the xccdf_org.ssgproject.content_profile_stig_gui profile Ansible remediation test.

SCAP Security Guide Version:

current upstream as of 2022-08-06 as of HEAD https://github.com/ComplianceAsCode/content/commit/61b8f59e05e7a63267e22f3a44ff2b98de822ec0

Operating System Version:

RHEL 8.7

Steps to Reproduce:

  1. python3 /tmp/tmp.BFMCi6FEIQ/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel8-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --mode online --remediate-using ansible xccdf_org.ssgproject.content_profile_stig_gui

Actual Results:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - fail

Expected Results:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - pass

Additional Information/Debugging Steps:

jan-cerny avatar Aug 09 '22 12:08 jan-cerny

I have tried to reproduce this issue but the remediation worked as expected in my tests. Firstly, testing the profile following the steps from the description, the Remediation executed without failures and the system was properly configured:

grep -ri "forwarding" /etc/sysctl*
/etc/sysctl.conf:net.ipv6.conf.all.forwarding=0
/etc/sysctl.conf:net.ipv4.conf.all.forwarding=0

The I assessed a fresh VM before and after the remediation and all results appeared as expected:

oscap xccdf eval --profile stig_gui --rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ./ssg-rhel8-ds.xml
...
Title   Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
Rule    xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
Ident   CCE-86220-1
Result  fail

The I manually applied the Ansible remediation and the rule passed:

oscap xccdf eval --profile stig_gui --rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ./ssg-rhel8-ds.xml
...
Title   Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
Rule    xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
Ident   CCE-86220-1
Result  pass

@jan-cerny , could you confirm if the issue is still appearing in the Productization tests, please? Otherwise, it was probably fixed this meantime. If so, we can close it.

marcusburghardt avatar Aug 30 '22 14:08 marcusburghardt

I can reproduce it with Automatus running in profile mode with --remediate-using ansible and stig_gui.

vojtapolasek avatar Aug 30 '22 14:08 vojtapolasek

Several observations:

  1. It happens only when you install a VM with GUI (install_vm.py ... --install-gui). For non-gui systems, the net.ipv4.conf.all.forwarding is set to 0 from the begining.
  2. The problem is that after Ansible remediation, the value is configured correctly (0). But after reboot, it goes again to 1.
  3. It happens only after Ansible remediation - after Bash remediation, the value 0 persists across reboots.
  4. The problem with value not persisting across reboots happen even after clean installation of GUI machine (even before you do anything with Ansible / oscap).

vojtapolasek avatar Aug 31 '22 07:08 vojtapolasek

Thanks @vojtapolasek for some nice hints to test this more efficiently. However, the issue are still not reproducible. Here are the detailed steps I followed:

  1. Clone the upstream master branch
  2. cd content
  3. ./build_product rhel8
  4. cd tests
  5. ./ds_unselect_rules.sh ../build/ssg-rhel8-ds.xml unselect_rules_list ** Obs.: used to deselect some rules which interfere in the automatus itself and are safe to be deselected for testing purposes.
  6. ./automatus.py profile --libvirt qemu:///session rhel8 --datastream /tmp/ssg-rhel8-ds.xml --remediate-using ansible --keep-snapshots stig_gui

The profile test started and succesfully finished with this output:

Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into ...ComplianceAsCode/content/tests/logs/profile-custom-2022-08-31-0907/test_suite.log
INFO - Evaluation of the profile has passed: xccdf_org.ssgproject.content_profile_stig_gui (initial stage).
INFO - Evaluation of the profile has passed: xccdf_org.ssgproject.content_profile_stig_gui (remediation stage).
INFO - Rebooting domain 'rhel8' before final scan.
INFO - Waiting for 30 seconds to let the system finish startup.
INFO - Evaluation of the profile has passed: xccdf_org.ssgproject.content_profile_stig_gui (final stage).

The final HTML report was checked and the sysctl_net_ipv4_conf_all_forwarding rule passed:

image

marcusburghardt avatar Aug 31 '22 08:08 marcusburghardt

Useful observations. I just noticed my VM was not using GUI. This diagnostic is very useful @vojtapolasek .

marcusburghardt avatar Aug 31 '22 08:08 marcusburghardt

So it seems that the culprit is Libvirt. It gets installed with graphical-server-environment group. Libvirt sets /proc/sys/net/ipv4/ip_forward to 1. This (somehow) sets also /proc/sys/net/ipv4/conf/all/forwarding to 1. I think the solution is rule warnin? Because in my opinion Libvirt needs the forwarding activated to enable communication of VMs with host.

vojtapolasek avatar Aug 31 '22 13:08 vojtapolasek

@jan-cerny , could you confirm if the issue is still appearing in the Productization tests, please? Otherwise, it was probably fixed this meantime. If so, we can close it.

Sorry for the delay, I had to rerun this test because it timed out.

Unfortunately, yes, this issue still appears in the productization test /CoreOS/scap-security-guide/Sanity/test-profiles-ansible-remediation on RHEL 7.8 with the current upstream as of 2002-08-28 as of HEAD 2bcaad2:

python3 /tmp/tmp.k4cOJF8VOZ/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel8-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --mode online --remediate-using ansible xccdf_org.ssgproject.content_profile_stig_gui

... snip ...

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - fail

jan-cerny avatar Sep 01 '22 06:09 jan-cerny

No need to sorry @jan-cerny . ; ) Actually me and @vojtapolasek discussed this issue yesterday and I was also able to reproduce it in a RHEL8 with GUI. I confirmed the settings were fine and suggested something was changing the /proc/sys/net/ipv4/ip_forward during the boot. Then @vojtapolasek monitored the file and saw that libvirt was changing it.

So, we know the issue but still not sure about the solution.

marcusburghardt avatar Sep 01 '22 07:09 marcusburghardt

So it seems that the culprit is Libvirt. It gets installed with graphical-server-environment group. Libvirt sets /proc/sys/net/ipv4/ip_forward to 1. This (somehow) sets also /proc/sys/net/ipv4/conf/all/forwarding to 1. I think the solution is rule warnin? Because in my opinion Libvirt needs the forwarding activated to enable communication of VMs with host.

@vojtapolasek , I also think that a rule warning would be a good approach. It is relatively common to have libvirt in systems and I am not aware of any benchmark asking to remove libvirt. In addition, libvirt needs the ip_forwarding active to make sure the routing between the bridges and virtual interfaces work as expected. So, sounds reasonable to me having ip_forward active in systems with libvirt. It may confuse the users, which would be solved with an explicit rule warning.

marcusburghardt avatar Sep 01 '22 07:09 marcusburghardt