[affects stabilization] Rule service_systemd-coredump_disabled is failing tests

[jan-cerny]

Description of problem:

During the review of the productization test run test /CoreOS/scap-security-guide/Sanity/test-rules-scenarios-per-profile OSPP 4/5 we discovered that the rule service_systemd-coredump_disabled fails the service_disabled.pass.sh test scenario in the intial phase for both Ansible and Bash remediations when Automatus is executed in a combined mode.

SCAP Security Guide Version:

current upstream master branch as of 2023-07-22 as of HEAD a96ccb9

Operating System Version:

RHEL 9

Steps to Reproduce:

1. python3 /tmp/tmp.PZKIYKxtbI/rpmbuild/BUILD/scap-security-guide-0.1.69/tests/test_suite.py combined --slice 4 5 --libvirt qemu:///system test_suite_vm --datastream /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml --mode online --remediate-using bash --duplicate-templates --no-reports xccdf_org.ssgproject.content_profile_ospp
2. python3 /tmp/tmp.PZKIYKxtbI/rpmbuild/BUILD/scap-security-guide-0.1.69/tests/test_suite.py combined --slice 4 5 --libvirt qemu:///system test_suite_vm --datastream /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml --mode online --remediate-using ansible --duplicate-templates --no-reports xccdf_org.ssgproject.content_profile_ospp

Actual Results:

INFO - xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
ERROR - Script service_disabled.pass.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled'.

Expected Results:

no errors are reported by Automatus

Additional Information/Debugging Steps:

no

[vojtapolasek]

I can confirm this for stabilization branch as of 2023-07-20.

[vojtapolasek]

oscap_new.log
oscap_old.log
@jan-cerny @evgenyz I think this is caused by the recently released openscap. I performed the following test:
1. provision RHEL 9 machine
2. install openscap and upload datastream build from the stabilization branch as of 31dcb8e
3. run systemctl stop systemd-coredump.socket && systemctl mask systemd-coredump.socket (as per the templated test scenario service_disabled.pass.sh)
4. run oscap --verbose DEVEL --verbose-log-file output.log xccdf eval --results-arf results.xml --rule xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled ssg-rhel9-ds.xml

  With Openscap 1.3.7 the rule passes, with 1.3.8 the rule fails.
  I am attaching oscap_old.log from 1.3.7 and oscap_new.log from 1.3.8.

[jan-cerny]

@vojtapolasek

I have reproduced it locally and I have generated reports using the oscap-report tool. I can see that there is a difference in behavior of OpenSCAP between the old version and the new version. The OVAL definition of this rule requires checking systemd units that match the regular expression ^systemd-coredump\.(service|socket)$, which means systemd-coredump.service and systemd-coredump.socket. The old version of OpenSCAP didn't find the service unit, it checked only properties of the socket unit. The new version of OpenSCAP started to examine both service unit and socket unit. The rule fails because the systemd-coredump.service unit LoadState property returns not-found value, which is different than the expected value masked. Now we need to investiagate whether the new behavior is correct or wrong and if we need to adjust OpenSCAP or the definition in SCAP content.

[jan-cerny]

Yes, there really is an issue with the new OpenSCAP 1.3.8 that it can't process the templated units correctly. I have reported this issue in OpenSCAP/openscap#2012.

However, I think we are able to work around this OpenSCAP issue on the content side by using PR #10906 .