0

I recently ran the OpenScap Audit scan on a SLES 12 machine, and the result seems to be false-positive.

Eg for these two checks :

1) Ensure sudo logfile exists - sudo logfile

The description for this item mentions :

A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.

I have checked in the server, and this entry exists already :

ldefra-s12d:~ # grep 'logfile' /etc/sudoers
Defaults logfile="/var/log/sudo.log"
nagios ALL=NOPASSWD: /sbin/multipath -l, /sbin/multipath -ll, /sbin/multipath -r, /sbin/lvs --segments, /usr/bin/salt-call -l quiet cmd.run uname -a, /usr/bin/salt-call -l quiet state.apply test\=true, /usr/bin/zypper --quiet update --dry-run --no-confirm --auto-agree-with-licenses, /usr/bin/yum --quiet check-update, /usr/bin/zypper install --details --dry-run -y TAneo, /usr/lib/nagios/plugins/check_logfiles, /usr/sbin/crm_mon, /usr/sbin/crm, /usr/sbin/iptables -L -n, /usr/lib/nagios/plugins/check_iptables.sh, /usr/bin/id, /usr/lib/nagios/plugins/check_highstate.py, /usr/lib/nagios/plugins/check_iptables.py
ldefra-s12d:~ #

Another one is this :

2) Limit password reuse

The description for this is :

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is 5 or greater. For example: password requisite pam_pwhistory.so ...existing_options... remember=5 use_authtok The DoD STIG requirement is 5 passwords.

In the server, this is also configured :

ldefra-s12d:~ # grep remember /etc/pam.d/common-password
password        required        pam_pwhistory.so   use_authtok remember=5 retry=3

If this is the case, then why does the scan produce false-positive results? Do I need to edit something from the openscap scanning file/code itself? Please provide a solution for this. It is part of my company's regular audit practice, and I still have no clue on how to resolve this problem.

anaigini
  • 1
  • 1
  • Did you run the scan as unprivileged user and could have the file system restrictions prevented the actual evaluation of the contents of your configuration files? Then you might see generic recommendations – diya Dec 01 '22 at 11:22
  • No, the scan is run as root. – anaigini Dec 02 '22 at 07:51

0 Answers0