Join Log in
Score:0
anaigini avatar Server

OpenScap scan results are false-positive

om flag
anaigini

I recently ran the OpenScap Audit scan on a SLES 12 machine, and the result seems to be false-positive.

Eg for these two checks :

1) Ensure sudo logfile exists - sudo logfile

The description for this item mentions :

A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.

I have checked in the server, and this entry exists already :

ldefra-s12d:~ # grep 'logfile' /etc/sudoers
Defaults logfile="/var/log/sudo.log"
nagios ALL=NOPASSWD: /sbin/multipath -l, /sbin/multipath -ll, /sbin/multipath -r, /sbin/lvs --segments, /usr/bin/salt-call -l quiet cmd.run uname -a, /usr/bin/salt-call -l quiet state.apply test\=true, /usr/bin/zypper --quiet update --dry-run --no-confirm --auto-agree-with-licenses, /usr/bin/yum --quiet check-update, /usr/bin/zypper install --details --dry-run -y TAneo, /usr/lib/nagios/plugins/check_logfiles, /usr/sbin/crm_mon, /usr/sbin/crm, /usr/sbin/iptables -L -n, /usr/lib/nagios/plugins/check_iptables.sh, /usr/bin/id, /usr/lib/nagios/plugins/check_highstate.py, /usr/lib/nagios/plugins/check_iptables.py
ldefra-s12d:~ #

Another one is this :

2) Limit password reuse

The description for this is :

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is 5 or greater. For example: password requisite pam_pwhistory.so ...existing_options... remember=5 use_authtok The DoD STIG requirement is 5 passwords.

In the server, this is also configured :

ldefra-s12d:~ # grep remember /etc/pam.d/common-password
password        required        pam_pwhistory.so   use_authtok remember=5 retry=3

If this is the case, then why does the scan produce false-positive results? Do I need to edit something from the openscap scanning file/code itself? Please provide a solution for this. It is part of my company's regular audit practice, and I still have no clue on how to resolve this problem.

81
0 + 2
diya avatar
la flag
diya
Did you run the scan as unprivileged user and could have the file system restrictions prevented the actual evaluation of the contents of your configuration files? Then you might see generic recommendations
0
Reply
anaigini avatar
om flag
anaigini
No, the scan is run as root.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.