Bug 1601931
| Summary: | Ansible remediation of default umask in login.defs sets incorrect value [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | high | ||
| Version: | 7.5 | CC: | jcerny, jvilicic, matyc, mhaicman, mjahoda, mpreisle, mthacker, openscap-maint, shawn, wsato |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.36-10.el7_5 | Doc Type: | Bug Fix |
| Doc Text: |
Prior to this update, the Extensible Configuration Checklist Description Format (XCCDF) benchmark contained the octal umask value for the "/etc/login.defs" file converted to the decimal format. Consequently, Ansible remediations against Red Hat Enterprise Linux 7 incorrectly set the "accounts_umask_etc_login_defs" value. The umask value format in the XCCDF benchmark has been fixed, the umask entry now correctly passes through.
|
Story Points: | --- |
| Clone Of: | 1592957 | Environment: | |
| Last Closed: | 2018-09-25 19:05:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1592957 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-07-17 13:42:46 UTC
Tested with SSG Test Suite, on the commit commit 2dc31c16cc6aa961d1e93e17b0f08ab83a82abfd with command line arguments: --libvirt qemu:///system ssg-test-suite-rhel7 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --remediate-using ansible rule_accounts_umask_etc_login_defs DataStream used (md5) : 2ea1bcda4a87b210d0eb9d82f248db8b ./rhel7_753.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-14-1548/test_suite.log INFO - xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script super_compliance.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK ERROR - Script wrong_configuration.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'. INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'. DataStream used (md5) : 198991e9c27694df834041f47e7a63d6 ./rhel7_754.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-14-1550/test_suite.log INFO - xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script super_compliance.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script wrong_configuration.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2752 |