You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are in the middle of a project to harden an Ubuntu 20 machine according to Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11 and running oscap 1.2.16 with scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml. We are seeing a failure in xccdf_org.ssgproject.content_rule_verify_use_mappers (UBTU-20-010006) but believe our hardening target satisfies the requirement.
Details:
This content is not aligned with content from Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11
/etc/pam_pkcs11/pam_pkcs11.conf is basically a copy from /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example. The use_mappers statement is not changed because pwent is already present but there are other differences between the two files due to another requirement in the STIG.
but this is still misaligned with the STIG which states:
Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper.
The STIG does not require that pwent appear first. I believe the actual state of the target satisfies the STIG and the check should pass. A better regular expression might be the one in the grep example from the above Target state section.
Additionally, most key = expression; statement end with a semicolon in pam_pkcs11.conf.example but the semicolon is not a part of the regular expression. It looks like it might be optional but there are 93 total key = expression statements in the default and only five of them don't end with a semicolon. The default pwent = value; statement ends with a semicolon.
Suggested change:
When I changed the regular expression to:
<ind:textfilecontent54_object id="oval:ssg-obj_verify_use_mappers:obj:1" version="1">
<ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*use_mappers\s+=(\s*\w+\s*,)*\s+pwent(\s*,\s*\w+)*\s*;$</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
the content_rule_verify_use_mappers check was successful.
Description of problem:
We are in the middle of a project to harden an Ubuntu 20 machine according to Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11 and running
oscap
1.2.16 withscap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml
. We are seeing a failure inxccdf_org.ssgproject.content_rule_verify_use_mappers
(UBTU-20-010006
) but believe our hardening target satisfies the requirement.Details:
This content is not aligned with content from Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11
The misalignment affects these profiles:
scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml
The misalignment affects these rules:
xccdf_org.ssgproject.content_rule_verify_use_mappers
Report screenshots:
Target state:
/etc/pam_pkcs11/pam_pkcs11.conf
is basically a copy from/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example
. Theuse_mappers
statement is not changed becausepwent
is already present but there are other differences between the two files due to another requirement in the STIG.Outcome:
Discussion:
The report implies that it is doing:
Although this is misaligned with the STIG, I don't think oscap is using the above regular expression. From what it looks like,
oscap
is using:but this is still misaligned with the STIG which states:
The STIG does not require that
pwent
appear first. I believe the actual state of the target satisfies the STIG and the check should pass. A better regular expression might be the one in thegrep
example from the above Target state section.Additionally, most
key = expression;
statement end with a semicolon inpam_pkcs11.conf.example
but the semicolon is not a part of the regular expression. It looks like it might be optional but there are 93 totalkey = expression
statements in the default and only five of them don't end with a semicolon. The defaultpwent = value;
statement ends with a semicolon.Suggested change:
When I changed the regular expression to:
the
content_rule_verify_use_mappers
check was successful.SCAP Security Guide Version:
https://github.com/ComplianceAsCode/content/releases/download/v0.1.72/scap-security-guide-0.1.72.zip
External Content's Version:
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R11_STIG.zip
The text was updated successfully, but these errors were encountered: