Bug 1569425

Summary: False positive rule violation when bootloader password is set for C2S for Red Hat Enterprise Linux 7 profile
Product: Red Hat Enterprise Linux 7 Reporter: Sagar Lutade <slutade>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: jcerny, mhaicman, mhulan, mpreisle, openscap-maint, oprazak, vijsingh, wsato
Target Milestone: pre-dev-freeze   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-18 11:45:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
error_screenshot none

Description Sagar Lutade 2018-04-19 09:22:12 UTC 
Description of problem:

>> Default RHEL 7 scap policy not working as expected.

>> Set Boot Loader Password for a host is not working as expected.
 Shows as Items found violating "/boot/grub2/grub.cfg does not exists"
 But the file seems to be present and with correct permissions.

Version-Release number of selected component (if applicable):
>> openscap-1.2.16-6.el7.x86_64

How reproducible:
>> Create a new scap policy with profile:C2S for Red Hat Enterprise Linux 7.

Steps to Reproduce:
1.Create a new policy.
2.Assign to the host.
3.Run the compliance report.

Actual results:
>> It shows risk of high severity "xccdf_org.ssgproject.content".


Expected results:
It should not show the severity as the bootloader password is set.

Additional info:
NA.
Comment 1 Sagar Lutade 2018-04-19 09:23:38 UTC 
Created attachment 1423971 [details]
error_screenshot
Comment 2 Ondřej Pražák 2018-04-19 11:05:49 UTC 
Thank you for reporting this, however this is not a problem with Sat6 but rather how openscap evaluates the given rule. Therefore I will move this to a different component.
Comment 4 Ondřej Pražák 2018-05-15 06:30:28 UTC 
*** Bug 1576874 has been marked as a duplicate of this bug. ***
Comment 5 Watson Yuuma Sato 2018-05-18 11:36:43 UTC 
Hello,

I see in SOS report that "superusers" in /boot/grub2/grub.cf is set to "root", and although Rule "bootloader_password" recommends to not use common names as superuser (i.e. root, admin, administrator), it is actually required that they are not root, nor admin nor administrator.

Please, try to set a different superuser account name, and scan again.
Comment 6 Watson Yuuma Sato 2018-05-18 11:45:28 UTC 
I'm closing this, if the problem persists, please reopen.