Wind River Support Network


LIN8-9689 : Failures due to OpenSCAP report regex test errors

Created: Aug 28, 2018    Updated: Mar 14, 2019
Resolved Date: Oct 21, 2018
Found In Version:
Fix Version:
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Userspace


On WRL8 with the Security Profile. When running OpenSCAP tools from the security profile and a lot failures pop up due to regex test errors along with some other issues like fixes that can’t be done because the features do not exist in WRL8 – Firewalld and pam_pwquality too for instance – The OpenSCAP output in html format (Harris-report.html) along with the config settings and installation information is in the zip file.

Here is the OpenSCAP command. 

The oscap command used is: 
oscap xccdf eval --profile xccdf_org.wrlinux.content_profile_stig-planning-wrlinux-scp \ 
--report report.html \ 
--results-arf arf.xml \ 

FAE compiled a list of rules in the STIG that he thinks are either incompatible with Wind River Linux (i.e. they test features in ways that are not compatible with the provided product) or the OVAL regex tests don’t work.
An example of regex tests that might not be working are those for auditd related tests. For example, the rule “Record Events that Modify the System's Discretionary Access Controls – chmod” uses the following set of regex tests:

Filepath          ->             Pattern             =           Result
/usr/lib/systemd/system/auditd.service         ->       ^ExecStartPost=\-\/sbin\/augenrules.*$        =     Failure
/etc/audit/rules\.d/.*\.rules       ->         ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$       =      Failure
/etc/audit/rules\.d/.*\.rules         ->         ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$     =      Failure
*Note: These OVAL tests are set with regex::multiline disabled.*

All three of the above regex tests need to pass in order for the overall rule to pass.
There are a few problems with the above tests. First, the default filepath for the auditd.service file is not located at “/usr/lib/system/system/auditd.service”. No such directory structure exists (so that part of the test will fail no matter what). Second,  the regex expressions for the last two rows of the table aren’t correct.  Since the multiline flag is not enabled for those regex tests, it doesn’t correctly match the text (or if you removed the ‘^’ and ‘$’ from the expression would also fix it). Note that multiline flags can be enabled in an OVAL test with the tag: <ind:behaviors singleline="false" multiline="true"/>
There are nearly 40 rules associated with auditing that don’t work because of issues like the ones detailed above.
An example of a test that fails because it requires modules that are not available to Wind River Linux is pam_pwquality. The SCAP tests for password complexity (try to) look into /etc/security/pwquality.conf (which doesn’t exist because the pam_pwquality module is not installed).

Steps to Reproduce

1. <install-path>/wrlinux-8/wrlinux/configure --enable-board=qemuarm64 --enable-kernel=standard --enable-rootfs=secure-core+secure-configuration+debug --with-package=libpam,pam-plugin-cracklib,screen,iptables --with-layer=examples/fs-final,<install-path>/wrlinux-8/addons/wr-common/layers/wr-security,<install-path>/wrlinux-8/addons/wr-secure/layers/secure,<install-path>/wrlinux-8/addons/wr-secure/layers/wr-security-packages --enable-addons=wr-secure --with-template=feature/example-fs-final --enable-reconfig --enable-build=production --enable-bootimage=cpio.gz --with-rcpl-version=0026
2. Make local.conf match
>>>Comment this line #IMAGE_FSTYPES += "cpio.gz"
3. make
4. make start-target
5. oscap xccdf eval --profile xccdf_org.wrlinux.content_profile_stig-planning-wrlinux-scp \
--report report.html \
--results-arf arf.xml \

Other Downloads

Live chat