Bug 1726698

Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream version
Product: Red Hat Enterprise Linux 7 Reporter: Watson Yuuma Sato <wsato>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact: RaTasha Tillery-Smith <rtillery>
Priority: medium    
Version: 7.7CC: ggasparb, jcerny, matyc, mhaicman, mlysonek, openscap-maint, rtillery, sadas, tborcin, vpolasek
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.46-9.el7 Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` rebased to version 0.1.46 The `SCAP Security Guide` (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably: * SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default. Note that you can still use content suffixed with `-1.2` if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:38:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Watson Yuuma Sato 2019-07-03 13:20:57 UTC
The version currently in RHEL7 is 0.1.43.

Upstream version 0.1.44 is already released (on May 3rd 2019), changes from 0.1.43 to 0.1.44 can be checked here: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44

Next upstream release version 0.1.45 is to happen soon, in July 2019.

Comment 8 Jan Černý 2019-11-13 11:37:01 UTC
The Ansible Playbook for STIG profile errors in scap-security-guide-0.1.46-5.el7.noarch and it terminates before finishing.

1. # oscap xccdf generate fix --fix-type ansible --profile stig --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml

In --check mode, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---
                                                                                            
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name
: Disable service kdump\n      ^ here\n"}                                                                                                                                                                          
                                     
8<---8<---8<---8<---8<---8<---8<---8<---

In real run, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---

TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************                                                                                                          
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}          

8<---8<---8<---8<---8<---8<---8<---8<---

This problem has been discovered during verification of https://bugzilla.redhat.com/show_bug.cgi?id=1747188

Comment 9 Jan Černý 2019-11-13 12:04:07 UTC
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18

Comment 12 Milan Lysonek 2019-11-13 12:23:58 UTC
The issue with failing nfs ansible remediation mentioned in Comment 8 has been already fixed in upstream - https://github.com/ComplianceAsCode/content/pull/4784

Comment 13 Gabriel Gaspar Becker 2019-11-13 12:35:42 UTC
The omission of removing directory_access_var_log_audit rule in favor of audit_rules_for_ospp should be backported and the fix already exists upstream: https://github.com/ComplianceAsCode/content/pull/4957

Comment 14 Jan Černý 2019-11-13 13:14:28 UTC
I have checked the Ansible Playbook generated using the 'stig' profile from ssg-rhel7-ds.xml provided by scap-security-guide-0.1.46-5.el7.noarch.
I have continuously removed all the failing tasks from the playbook to allow the playbook to finish.

In the real run (without --check) the offending rules were: mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems.
These are templated rules, which means the Ansible template mount_option_remote_filesystems needs to be fixed.

In the check mode (with --check), there are more errors than in the real run, specifically:
- service_autofs_disabled and service_kdump_disabled - they are templated, we need to fix Ansible template service_disabled
- mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems - is templated, we need to fix Ansible template mount_option_remote_filesystems
- mount_option_krb_sec_remote_filesystem
- grub2_enable_fips_mode

Comment 15 Gabriel Gaspar Becker 2019-11-15 14:12:28 UTC
There is a fix upstream for ansible playbook generated using 'stig' profile.

https://github.com/ComplianceAsCode/content/pull/5004

Comment 16 Gabriel Gaspar Becker 2019-11-18 14:03:51 UTC
Two patches which fix missing CCE identifiers need to be backported:
https://github.com/ComplianceAsCode/content/pull/4866
https://github.com/ComplianceAsCode/content/pull/4956

Comment 29 errata-xmlrpc 2020-03-31 19:38:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019