Bug 1575210
| Summary: | Bigger tailoring file is generated on RHEL7 wrt RHEL6 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma |
| Component: | scap-workbench | Assignee: | Matěj Týč <matyc> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.5 | CC: | mhaicman, openscap-maint, wsato |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-26 17:21:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |
Description of problem: If I generate tailoring file for only 1 rule Big file is generated with all other rules marked selected="false" <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh_server" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_services" selected="true"/> <xccdf:set-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">3600</xccdf:set-value> This only happens in RHEL-7. While in RHEL-6, I found very small tailoring file gets generated with only rule specified. There is an customer who has following requirement: We need a small tailoring file as it needs to be embedded and written out from the kickstart file. I believe there is change in scap-workbench code b/w RHEL6,7. How can we generate smaller tailoring file in RHEL7 as it happened in RHEL6? Version-Release number of selected component (if applicable): # rpm -qa | grep scap scap-security-guide-0.1.36-7.el7.noarch openscap-1.2.16-6.el7.x86_64 perl-Pod-Escapes-1.04-292.el7.noarch scap-workbench-1.1.6-1.el7.x86_64 openscap-scanner-1.2.16-6.el7.x86_64 openscap-containers-1.2.16-6.el7.noarch scap-security-guide-doc-0.1.36-7.el7.noarch openscap-utils-1.2.16-6.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) How reproducible: all times Steps to Reproduce: 1. Generate a tailoring file using scap-workbench on RHEL7 with only 1 rule. 2. Generate a tailoring file using scap-workbench on RHEL6 with same rule. 3. You will find tailoring file generated on RHEL7 is much bigger although all rules are setted to false except 1 selected. Actual results: Bigger tailoring file generated with unwanted rules setted to false. Expected results: Smaller tailoring file should be generated. Additional info: I believe use case of generating bigger tailoring file having unwanted rules=false does not serve any purpose, Since it would lead to unneccesary checks in data-structure where rules are parsed and stored. We need to iterate in table to search for 'true' entry consuming much of CPU cycles in comp instruction. Would be going into scap-workbench code to look for fix, as i get time..