Bug 1398649

Summary: Evaluation of RHEL6 system after installing it from PCI-DSS kickstart reports some failing rules
Product: Red Hat Enterprise Linux 6 Reporter: Matus Marhefka <mmarhefk>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.9CC: mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-06 11:37:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matus Marhefka 2016-11-25 13:27:16 UTC 
Description of problem:
Install RHEL6 system (server variant) from PCI-DSS kickstart provided by scap-security-guide package.
After evaluation of PCI-DSS content on the installed system the following rules are failing:
===
These are the unexpected results:
Found 2 nodes:
-- NODE --
<rule-result idref="smartcard_auth" time="2016-11-24T05:42:31" severity="medium" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27440-7</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000349</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-smartcard_auth:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>-- NODE --
<rule-result idref="rsyslog_files_permissions" time="2016-11-24T05:42:36" severity="medium" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27190-8</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000135</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-rsyslog_files_permissions:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>
===

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.28-3.el6.noarch

How reproducible:
Always

Actual results:
Evaluation of PCI-DSS content on the system installed from PCI-DSS kickstart reports failing rules.

Expected results:
Evaluation of PCI-DSS content on the system installed from PCI-DSS kickstart reports that system is PCI-DSS compliant.


Additional info:
Comment 2 Matus Marhefka 2016-11-25 13:43:25 UTC 
The kickstart used was ssg-rhel6-pci-dss-with-gui-ks.cfg
Comment 6 Jan Kurik 2017-12-06 11:37:56 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/