Bug 1261642

Summary: RFE: Better support for server config checking on Fedora
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bruno, jlieskov, mhaicman, openscap-maint, pvrabec
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-18 09:22:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Scan results as html none

Description Bruno Wolff III 2015-09-09 20:14:01 UTC 
Description of problem:
The rhel files include in the security guide have rules for checking such things as web server config files, but those files don't seem to work on Fedora. scap-workbench won't let you pick them and manually using them with openscap doesn't usefully use the tests on Fedora.

With there being server and cloud versions of Fedora now, I would expect more demand for supporting config testing in the security guide.
Comment 1 Šimon Lukašík 2015-09-11 08:37:04 UTC 
Thanks Bruno for this suggestion.

Can you be more specific? What is the example of a check that is missing on Fedora and present on RHEL?

Do you know we have much wider selection of content in Fedora (see `rpm -ql scap-security-guide`)?

What does it mean in technical terms, when you say: 'scap-workbench won't let you pick them'?
Comment 2 Bruno Wolff III 2015-09-11 18:11:19 UTC 
Created attachment 1072614 [details]
Scan results as html

I was having trouble with scap-workbench because I picked Fedora on the splash page and then could only choose a Fedora profile.

When I picked a different OS on the splash page and then ran a profile, I got not applicable (or not selected) for the tests.

At least some of the RHEL and CENTOS profiles had more tests than the Fedora profile.

There were a lot more references to httpd in ssg-rhel7-xccdf.xml than in ssg-fedora-xccdf.xml, though there were not many references to these in the RHEL7 profiles. I had expected that some sanity checks on httpd configuration would be in the profiles, but I only saw a check to make sure qpid was disabled.

So it looks like it might be easier to add tests for httpd config to the rhel profiles than to the Fedora profile since the RHEL xccdf file has more infrastructure for this already set up.

Though in practice, we seem to be more interested that CVE patches have been applied than service configuration, and keeping CVE info current in Fedora would be a lot of work.
Comment 3 Bruno Wolff III 2015-09-11 18:36:29 UTC 
Looking around some with the customize feature of scap-workbench, there is a web service area in the RHEL profile that can be turned on, but there doesn't seem to be one for Fedora's profile.
Comment 4 Šimon Lukašík 2015-09-14 10:18:18 UTC 
Well, I see multiple unrelated issues.

 * As for Scap-workbench selection:
   - I'll kindly ask Martin if he can see any improvement we can do?
 * As for the Fedora content being incomplete.
   - SSG upstream makes improvement in Fedora content with each subsequent release. This is however slow process. We can keep this bugzilla to track the progress.
 * As for the CVE stream for Fedora.
   - This is really unrelated to SSG per se. Please file a bug against Bodhi to generate CVE data or provide an API to build them. open-scap-list will be happy to help Bodhi team design this thing.

Do you think it is reasonable to close this bub once the Fedora content contains all the httpd rules from rhel7 content?

Thanks!
Comment 5 Martin Preisler 2015-09-14 11:01:02 UTC 
I don't understand the problem with the SCAP Workbench SSG selection dialog. Did you expect to open RHEL7 content and have that content "just work" on Fedora? "notapplicable" results are the expected outcome of this use-case.

Some improvements have been made to the selection dialog recently, see https://github.com/OpenSCAP/scap-workbench/pull/31
Comment 6 Vojtech Polasek 2024-01-18 09:22:08 UTC 
Hello,
since there have not been provided any exact steps, data, or reproducers, I am closing this bug.
Moreover, I think that the situation with SCAP content for Fedora was greatly improved over the years. We even have several profiles made for Fedora:
https://complianceascode.github.io/content-pages/guides/ssg-fedora-guide-cusp_fedora.html
Feel free to reopen the bug and provide more concrete data.