Bug 1463829
Summary: | rule_mount_option_var_tmp_bind discrepancy between OVAL and remediation | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Haicman <mhaicman> |
Component: | scap-security-guide | Assignee: | Matěj Týč <matyc> |
Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | mhaicman, openscap-maint |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.40-7.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 11:46:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marek Haicman
2017-06-21 20:26:16 UTC
I believe this is addressed by this PR: https://github.com/OpenSCAP/scap-security-guide/pull/2696 The mount_option rules were templated and now the generated remediations (ansible and bash) can mount the partition. Verified fix in version scap-security-guide-0.1.40-7.el7 [dahaic@dhcp-24-168 tests]$ sudo ./datastream_chaining.sh ./0.1.36-7b.rhel7.ds.xml ./0.1.40-7b.rhel7.ds.xml --libvirt qemu:///system rhel7.6 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_mount_option_var_tmp_bind Tested with SSG Test Suite, on the commit commit 87695e43ad73b1b9d008b8b5dc0ff8cce586c3ce With command line arguments: --libvirt qemu:///system rhel7.6 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_mount_option_var_tmp_bind DataStream used (md5) : 9f4e3926d2b2672f274b74043daf0650 ./0.1.36-7b.rhel7.ds.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-20-1707/test_suite.log INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind INFO - Script configured_and_mounted.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script just_configured.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'. ERROR - Script just_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'. ERROR - Script separated_and_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'. ERROR - Script wrong_bind.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind'. DataStream used (md5) : 1acf68b67971a44aaed789c0c9ba4af2 ./0.1.40-7b.rhel7.ds.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-20-1708/test_suite.log libvirt: QEMU Driver error : Guest agent is not responding: QEMU guest agent is not connected INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind INFO - Script configured_and_mounted.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script just_configured.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script just_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script separated_and_mounted.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script wrong_bind.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK Note: C2S profile does not select this rule, so test has been performed on updated DS where this rules has been selected. [dahaic@dhcp-24-168 tests]$ diff 0.1.36-7{,b}.rhel7.ds.xml 52533a52534 > <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" selected="true"/> [dahaic@dhcp-24-168 tests]$ diff 0.1.40-7{,b}.rhel7.ds.xml 59676a59677 > <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" selected="true"/> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3308 |