Bug 1251929

Summary: RHEL-6 USGCB and STIG kickstarts: Switch on use of scap-security-guide RPM from base Red Hat Network channel rather than cloning most recent upstream Git repository content
Product: Red Hat Enterprise Linux 6 Reporter: Jan Lieskovsky <jlieskov>
Component: scap-security-guideAssignee: Jan Lieskovsky <jlieskov>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: low Docs Contact:
Priority: medium    
Version: 6.8CC: ksrot, mhaicman, slukasik, swells
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.27-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1378489 (view as bug list) Environment:
Last Closed: 2016-05-10 21:40:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1378489    

Description Jan Lieskovsky 2015-08-10 10:40:01 UTC 
Description of problem:

The SCAP Security Guide content for Red Hat Enterprise Linux 6 currently provides the following two Anaconda kickstart files:
* ssg-rhel6-usgcb-server-with-gui-ks.cfg (for the USGCB profile) and
* ssg-rhel6-stig-ks.cfg (for the DISA STIG profile)

The definition of these kickstart files currently uses git cloning of most-recent SSG repository content:
* https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg#L173
* https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg#L378

rather than direct use of native scap-security-guide's RPM package content as provided within Red Hat Satellite's base channel for Red Hat Enterprise Linux 6 system.

The former motivation for this behaviour has been to get all the OVAL definitions and remediation scripts for USGCB and DISA STIG profiles for Red Hat Enterprise Linux 6 product (previously cloning the most recent SSG git repository copy was necessary because the native scap-security-guide RPM package included in Red Hat Enterprise Linux 6 did not contain all the necessary definitions).

But from the time the aforementioned two kickstart files have been included in scap-security-guide RPM package in Red Hat Enterprise Linux 6 the situation has changed (the necessary checks are already included in the scap-security-guide RPM package as shipped with Red Hat Enterprise Linux 6), and therefore it is safe to prefer use of native scap-security-guide RPM package in kickstart files too rather than to perform SSG upstream git repository copy.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.21-3.el6.*

How reproducible:
Always

Steps to Reproduce:
1. Use some of USGCB or DISA STIG kickstart SCAP Security Guide kickstart files for Red Hat Enterprise Linux 6 product when installing new RHEL-6 system,
2. After finishing the install perform oscap scan

Actual results:
The RHEL-6 system in question is validated using most recent SSG repository content (IOW the OVAL checks and remediations that weren't present in scap-security-guide-0.1.21 version yet are verified too).

Expected results:
The RHEL-6 system in question should be validated using native scap-security-guide RPM package version, shipped within Red Hat Enterprise Linux 6 base channel.
Comment 3 Marek Haicman 2016-03-08 18:48:31 UTC 
Verified the kickstart files shipped in version scap-security-guide-0.1.28-2.el6 [pci-dss, stig, usgcb] do remediation based on shipped content, instead of upstream git repository.
Comment 5 errata-xmlrpc 2016-05-10 21:40:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html