Bug 1520493

Summary: open-scap reports an "error" when checking "Set Daemon Umask"
Product: Red Hat Enterprise Linux 7 Reporter: SHAURYA <sshaurya>
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: mhaicman, mpreisle, mthacker, openscap-maint, pvrabec, wsato
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.36-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:21:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Openscap scan full result none

Description SHAURYA 2017-12-04 15:14:20 UTC 
Created attachment 1362712 [details]
Openscap scan full result

Description of problem:

The "Set Daemon Umask" test says "error" in the oscap report. The "hover text" says that "the checking engine could not complete the evaluation". I can't work out why this is erroring as the /etc/init.d/functions file looks OK to me.


Version-Release number of selected component (if applicable):
using openscap-1.2.10-2


Actual results:

Provides false report for /etc/init.d/functions file.

Expected results:
Should not provide false positive report for a scan.


Additional info:
San results attached
Comment 2 Jan Černý 2017-12-05 16:17:08 UTC 
Thank you for reporting this bug. It's a bug in SCAP Security Guide in rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.

I have a patch submitted that fixes this bug  to upstream https://github.com/OpenSCAP/scap-security-guide/pull/2476 .

You can temporarily workaround this issue by manually removing "<external_variable>" elements with id="oval:ssg-var_umask_for_daemons_umask_as_number:var:1" from the datastream.
Comment 3 Marek Haicman 2017-12-05 17:33:51 UTC 
PR merged -> POST state
Comment 9 Marek Haicman 2018-01-15 20:52:56 UTC 
Verified with SSG Test Suite https://github.com/OpenSCAP/scap-security-guide/tree/master/tests
[Please note I had to add rule_umask_for_daemons to C2S profile for SSG Test Suite to consume it, and update scenarios accordingly. It won't work with profile out of the box.]

OLD (scap-security-guide-0.1.33-6.el7.noarch)
INFO - xccdf_org.ssgproject.content_rule_umask_for_daemons
ERROR - Script adequate.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.
INFO - Script strong_weak.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.
ERROR - Script super_strong.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'.
INFO - All snapshots reverted successfully


NEW (scap-security-guide-0.1.36-7.el7.noarch)
INFO - xccdf_org.ssgproject.content_rule_umask_for_daemons
INFO - Script adequate.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script strong_weak.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script super_strong.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK
INFO - All snapshots reverted successfully


PR with test coverage: https://github.com/OpenSCAP/scap-security-guide/pull/2541
Comment 10 Jan Černý 2018-01-16 08:34:34 UTC 
The test was merged in upstream test suite.
Comment 13 errata-xmlrpc 2018-04-10 12:21:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0761