Bug 1371555

Summary: rpm_verify_hashes does not check documentation files
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Martin Preisler <mpreisle>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: mhaicman, mpreisle, openscap-maint, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.32-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:23:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2016-08-30 13:04:38 UTC 
Description of problem:
When checking hashes of installed files, changes to the documentation is not taken into account, even though it might be also dangerous, and more importantly - there shouldn't be a reason to alter distributed documentation files. (Or is there?)

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. append something to the scap-workbench user manual
2. run rpm_verify_hashes rule [is for example part of pci_dss profile
(and for comparison)
3. rpm -Va | grep '^..5'

Actual results:
Output of 3. mentions user manual.
Report produced by oscap does not mention it, and possibly passes

Expected results:
Output of 3. mentions user manual.
Report produced by oscap does point out modified user manual, and rule fails.

Additional info:
Comment 1 Martin Preisler 2017-03-06 21:58:33 UTC 
Upstream fix proposed: https://github.com/OpenSCAP/scap-security-guide/pull/1738
Comment 4 Marek Haicman 2017-06-22 22:40:28 UTC 
Verified for version scap-security-guide-0.1.33-5.el7.noarch
Verification performed using SSG Test Suite

OLD:
scap-security-guide-0.1.30-3.el7.noarch
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script fresh_system.pass.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
INFO - Script bad_document.fail.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - Rule result should have been "fail", but is "pass"!


NEW:
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script fresh_system.pass.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
INFO - Script bad_document.fail.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - Rule result should have been "fixed", but is "fail"!

Note: ERROR in NEW phase is artefact of SSG Test Suite rough edges - it expects remediation, but for this rule there no remediation is available. It failed initial scan as expected, though.
Comment 5 errata-xmlrpc 2017-08-01 12:23:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064