Bug 1726698
| Summary: | Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream version | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Watson Yuuma Sato <wsato> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | medium | Docs Contact: | RaTasha Tillery-Smith <rtillery> |
| Priority: | medium | ||
| Version: | 7.7 | CC: | ggasparb, jcerny, matyc, mhaicman, mlysonek, openscap-maint, rtillery, sadas, tborcin, vpolasek |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.46-9.el7 | Doc Type: | Enhancement |
| Doc Text: |
.`SCAP Security Guide` rebased to version 0.1.46
The `SCAP Security Guide` (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:
* SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default.
Note that you can still use content suffixed with `-1.2` if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:38:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Watson Yuuma Sato
2019-07-03 13:20:57 UTC
The Ansible Playbook for STIG profile errors in scap-security-guide-0.1.46-5.el7.noarch and it terminates before finishing.
1. # oscap xccdf generate fix --fix-type ansible --profile stig --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml
In --check mode, it fails on:
8<---8<---8<---8<---8<---8<---8<---8<---
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name
: Disable service kdump\n ^ here\n"}
8<---8<---8<---8<---8<---8<---8<---8<---
In real run, it fails on:
8<---8<---8<---8<---8<---8<---8<---8<---
TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
8<---8<---8<---8<---8<---8<---8<---8<---
This problem has been discovered during verification of https://bugzilla.redhat.com/show_bug.cgi?id=1747188
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18 The issue with failing nfs ansible remediation mentioned in Comment 8 has been already fixed in upstream - https://github.com/ComplianceAsCode/content/pull/4784 The omission of removing directory_access_var_log_audit rule in favor of audit_rules_for_ospp should be backported and the fix already exists upstream: https://github.com/ComplianceAsCode/content/pull/4957 I have checked the Ansible Playbook generated using the 'stig' profile from ssg-rhel7-ds.xml provided by scap-security-guide-0.1.46-5.el7.noarch. I have continuously removed all the failing tasks from the playbook to allow the playbook to finish. In the real run (without --check) the offending rules were: mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems. These are templated rules, which means the Ansible template mount_option_remote_filesystems needs to be fixed. In the check mode (with --check), there are more errors than in the real run, specifically: - service_autofs_disabled and service_kdump_disabled - they are templated, we need to fix Ansible template service_disabled - mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems - is templated, we need to fix Ansible template mount_option_remote_filesystems - mount_option_krb_sec_remote_filesystem - grub2_enable_fips_mode There is a fix upstream for ansible playbook generated using 'stig' profile. https://github.com/ComplianceAsCode/content/pull/5004 Two patches which fix missing CCE identifiers need to be backported: https://github.com/ComplianceAsCode/content/pull/4866 https://github.com/ComplianceAsCode/content/pull/4956 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1019 |