| Summary: | Some rules in PCI-DSS, DISA STIG and USGCB Profile fail to remediate | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Watson Yuuma Sato <wsato> | |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | |
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.5 | CC: | mhaicman, mpreisle, mthacker, openscap-maint | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | scap-security-guide-0.1.39-1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1571312 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 11:46:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1571312 | |||
|
Description
Watson Yuuma Sato
2018-04-23 12:22:20 UTC
Fixes for the rules - https://github.com/OpenSCAP/scap-security-guide/pull/2679 - xccdf_org.ssgproject.content_rule_partition_for_tmp - xccdf_org.ssgproject.content_rule_partition_for_var - xccdf_org.ssgproject.content_rule_partition_for_var_log_audit - xccdf_org.ssgproject.content_rule_partition_for_home - https://github.com/OpenSCAP/scap-security-guide/pull/2696 - xccdf_org.ssgproject.content_rule_mount_option_home_nosuid - https://github.com/OpenSCAP/scap-security-guide/pull/2673 - xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable - https://github.com/OpenSCAP/scap-security-guide/pull/2671 - xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc - xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions - https://github.com/OpenSCAP/scap-security-guide/pull/2554 and - https://github.com/OpenSCAP/scap-security-guide/pull/2667 - xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action - https://github.com/OpenSCAP/scap-security-guide/pull/2607 - xccdf_org.ssgproject.content_rule_audit_rules_login_events - https://github.com/OpenSCAP/scap-security-guide/pull/2667 - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - https://github.com/OpenSCAP/scap-security-guide/pull/2532 - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete - https://github.com/OpenSCAP/scap-security-guide/pull/2698 - xccdf_org.ssgproject.content_rule_service_kdump_disabled - https://github.com/OpenSCAP/scap-security-guide/pull/2688 - xccdf_org.ssgproject.content_rule_sssd_enable_pam_services - https://github.com/OpenSCAP/scap-security-guide/pull/2685 - xccdf_org.ssgproject.content_rule_ldap_client_start_tls - https://github.com/OpenSCAP/scap-security-guide/pull/2664 - xccdf_org.ssgproject.content_rule_ensure_logrotate_activated Rule xccdf_org.ssgproject.content_rule_aide_scan_notification is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1540505 Rule xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1547694 Agreed and approved For rule xccdf_org.ssgproject.content_rule_audit_rules_login_events, the PR is actually https://github.com/OpenSCAP/scap-security-guide/pull/2628. And https://github.com/OpenSCAP/scap-security-guide/pull/2733 also needs to be considered. Verified for version scap-security-guide-0.1.40-12.el7.noarch Out of the rules listed in description of the bug, there are two that are persisting: *xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands * problem stems from different OVAL and remediation approach. OVAL expects to have rule even for `sudoedit`, even though it is just a symlink to `sudo`. Remediation creates only `sudo` rule. This failure is safe. * xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading Rest of the listed rules are fixed. There are new rules without remediation or failing for newest 0.1.40-12. These will be tracked in separate bugzillas. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3308 |