Bug 1493193
| Summary: | [Regression] appliance_console not enabling all required SCAP rules. | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | luke couzens <lcouzens> | |
| Component: | Appliance | Assignee: | Nick Carboni <ncarboni> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | luke couzens <lcouzens> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.8.0 | CC: | abellott, cpelland, jhardy, lcouzens, ncarboni, obarenbo, simaishi, smallamp | |
| Target Milestone: | GA | Keywords: | Regression, TestOnly, ZStream | |
| Target Release: | 5.9.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | black | |||
| Fixed In Version: | 5.9.0.2 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1498230 1498232 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-06 14:45:40 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | CFME Core | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1496279 | |||
| Bug Blocks: | 1498230, 1498232 | |||
|
Description
luke couzens
2017-09-19 14:45:25 UTC
Which rules are not being satisfied? Are there any differences in the openscap or openscap scanner rpm versions between the versions? so the rules, I don't think anything is getting applied. As for versions they do also differ. 5.7.4: openscap-1.2.14-2.el7.x86_64 openscap-scanner-1.2.14-2.el7.x86_64 5.7.3.2: openscap-1.2.10-3.el7_3.x86_64 openscap-scanner-1.2.10-3.el7_3.x86_64 https://github.com/ManageIQ/linux_admin/pull/191 https://github.com/ManageIQ/manageiq-gems-pending/pull/275 These changes get us to 20 passing and 26 not applicable rules. In the previous version we had 46 passing rules. The discrepancy seems to be caused by a new version of the scap-security-guide rpm. I was able to downgrade the rpm (to version 0.1.30) and see that the other 26 rules were remediated correctly and show as "passed" in the report after running the console option. Opened https://bugzilla.redhat.com/show_bug.cgi?id=1496279 to track what I believe is a bug in the scap-security-guide package Just a heads up, this is also an issue on the latest 5.8.2 builds. New commit detected on ManageIQ/linux_admin/master: https://github.com/ManageIQ/linux_admin/commit/8f90905cd47cefedddbb25b2478bced77ae7b880 commit 8f90905cd47cefedddbb25b2478bced77ae7b880 Author: Nick Carboni <ncarboni> AuthorDate: Tue Sep 26 17:12:23 2017 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Wed Sep 27 11:47:39 2017 -0400 Add platform attribute to Scap class Newer versions of scap-security-guide (> 0.1.32) add new xccdf files which match our glob pattern, but do not contain the remediations for the rules we want to run. If we edit one of these files rather than the one for our target platform, the rules will not be remediated properly. Specifying the platform allows us to find the file we need. https://bugzilla.redhat.com/show_bug.cgi?id=1493193 lib/linux_admin/scap.rb | 33 ++++++++++++++++++++++----------- spec/data/scap/ssg-rhel6-oval.xml | 0 spec/scap_spec.rb | 25 ++++++++++++++++++++++--- 3 files changed, 44 insertions(+), 14 deletions(-) create mode 100644 spec/data/scap/ssg-rhel6-oval.xml Also this one https://github.com/ManageIQ/linux_admin/pull/192 New commit detected on ManageIQ/manageiq-gems-pending/master: https://github.com/ManageIQ/manageiq-gems-pending/commit/15da3580d15e016cb785073f27c78d738ad2bd82 commit 15da3580d15e016cb785073f27c78d738ad2bd82 Author: Nick Carboni <ncarboni> AuthorDate: Tue Sep 26 17:29:23 2017 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Tue Sep 26 17:29:23 2017 -0400 Specify rhel7 as the scap security guide platform https://bugzilla.redhat.com/show_bug.cgi?id=1493193 lib/gems/pending/appliance_console/scap.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Verified in 5.9.0.2 |