Bug 1662180

Summary: xccdf_org.ssgproject.content_rule_rpm_verify_permissions fails after applying remediation scripts.
Product: Red Hat Enterprise Linux 7 Reporter: Jaskaran Singh Narula <janarula>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.6CC: matyc, mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-07 10:51:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaskaran Singh Narula 2018-12-26 19:27:02 UTC 
Description of problem:
After scanning the system, the rule is still failing. 

Rule: xccdf_org.ssgproject.content_rule_rpm_verify_permissions

Version-Release number of selected component (if applicable):


How reproducible:
Fully reproducible. 

Steps to Reproduce:
1. Scap any RHEL 7.6 system with DISA STIG RHEL 7 
2. Apply the remediation script. 
3. Again scan the system and check the result. 

Actual results:
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-27209-6
Result  fail

Expected results:
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-27209-6
Result  pass

Additional info:
Comment 2 Watson Yuuma Sato 2019-01-07 16:50:08 UTC 
Hello Jaskaran,

I have tried described reproducer in a fresh installed VM, but the rule is passing on scan after remediation.
Tried both, remediating as the scan goes, with "--remediate" flag;
and also with multi-step approach of scanning and generating fix script with "oscap generate fix", and then running it.

During both approaches the second scan resulted in pass for rule rpm_verify_permissions.

I have a few questions:
- Does the reproducer work on a freshly installed machine for you?
- Is there any extra rpm installed in this machine?

Thanks
Comment 3 Watson Yuuma Sato 2019-03-19 17:27:23 UTC 
Hello Jaskaran,

We just noticed that remediation for this rule was not working due to option "--quiet".
As a workaround: following command will fix the Data Stream.

sed -i 's/--quiet --setperms/--setperms/' ./ssg-rhel7-ds.xml

I kindly ask if you could test it on the reproducer environment.

Thank you.
Comment 6 Watson Yuuma Sato 2019-05-07 10:51:42 UTC 
This is a different manifestation of the same bug https://bugzilla.redhat.com/show_bug.cgi?id=1686005.
This is fixed by the same patch.

*** This bug has been marked as a duplicate of bug 1686005 ***