Bug 1619689

Summary: Ship profile in line with OSPP v4.2
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Marek Haicman <mhaicman>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 7.6CC: lmiksik, mhaicman, mpreisle, mthacker, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.40-4.el7 Doc Type: Enhancement
Doc Text:
SCAP Security Guide now supports OSPP v4.2 This update of the _scap-security-guide_ packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is `ospp42`, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID `ospp`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
State of profile ospp42 none

Description Marek Haicman 2018-08-21 13:38:15 UTC 
Description of problem:
OSPP profile shipped in RHEL7 is currently v4.0. As the latest version is v4.2, it's desired to have that version available, either as a replacement, or as a separate profile.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-2.el7

How reproducible:
reliably

Steps to Reproduce:
1. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
2. open /usr/share/doc/scap-security-guide-doc-0.1.40/ssg-rhel7-guide-ospp.html from scap-security-guide-doc
3.

Actual results:
No explicit OSPP profile, and USGCB profile has in the guide this:
NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)

Expected results:
Either explicit OSPP profile is available, following v4.2 or USGCB profile is updated.

Additional info:
Comment 7 Marek Haicman 2018-09-25 23:24:08 UTC 
Created attachment 1486946 [details]
State of profile ospp42

Verified for version scap-security-guide-0.1.40-12.el7

Profile with core OSPP v4.2 rules is part of SCAP Security Guide package, with these statistics:
Total rules: 176
Passing (after remediation): 151
Passing (if https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules is present in /etc/audit/rules.d/): 167
Deliberate failures: 2 (it is up to user to set it appropriately)
Failing remediations: 3 (sudo and sudoedit will pass when remediation is performed once again)
Rules without OVAL: 3 (Ensure Software Patches Installed is special case)
Comment 13 errata-xmlrpc 2018-10-30 11:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308