Bug 1711893

Summary: DISA STIG profile for containers is too bloated
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: fred.blaise, ggasparb, jcerny, matyc, mhaicman, mthacker, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.43-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:04:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2019-05-20 10:23:10 UTC 
Description of problem:
When hardening UBI with DISA STIG profile via `atomic scan`, there are unnecessary packages installed, making the "base image" quite bloated.

First finding is AIDE - this tool duplicates the inherent capability of containers (identify changes to the system). As such, it is not necessary to have it enabled for containerized environments.

Second finding is smartcards rule, which installs `authconfig-gtk` package. There is no reason to require GTK version, containerized or not. So the rule should be changed to require simply the CLI `authconfig` pkg.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-13.el7_6

How reproducible:
reliably

Steps to Reproduce:
1. $ sudo atomic scan --scanner openscap \
--remediate \
--scan_type configuration_compliance \
--scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig,report \
--verbose \
registry.redhat.io/ubi7/ubi 

Actual results:
Image too big, with aide and gtk packages being part of the update

Expected results:
No suspiciously out of place pkgs are present.

Additional info:
Comment 2 Matus Marhefka 2019-05-28 13:48:12 UTC 
PR fixing the issue: https://github.com/ComplianceAsCode/content/pull/4357
Comment 9 errata-xmlrpc 2019-08-06 13:04:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198