Bug 1891435

Summary: Rules of type Service Disabled do not have clear description on which actions the user should take [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Dushyant <duge>
Component: scap-security-guideAssignee: Gabriel Gaspar Becker <ggasparb>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: low Docs Contact: Jan Fiala <jafiala>
Priority: low    
Version: 7.9CC: ggasparb, jafiala, jreznik, lkuprova, matyc, mhaicman, mmarhefk, peter.vreman, vpolasek, wsato
Target Milestone: rcKeywords: Bugfix, Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.54-3.el7_9 Doc Type: Bug Fix
Doc Text:
.Service Disabled rules are no longer ambiguous Previously, rule descriptions for the Service Disabled type in the SCAP Security Guide provided options for disabling and masking a service but did not specify whether the user should disable the service, mask it, or both. With the release of the link:https://access.redhat.com/errata/RHBA-2021:1383[RHBA-2021:1383] advisory, rule descriptions, remediations, and OVAL checks have been aligned and inform users that they must mask a service to disable it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-27 11:30:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dushyant 2020-10-26 09:29:15 UTC 
Description of problem:

After openscap security scan with the following profile:

"Standard System Security Profile for Red Hat Enterprise Linux 7"
"xccdf_org.ssgproject.content_profile_standard"

Rule Id: "xccdf_org.ssgproject.content_rule_service_ntpdate_disabled"

- Even if the ntpdate.service is disabled, the result is fail
------------------------------------------------------------
Disable ntpdate Service (ntpdate)          low	     fail
------------------------------------------------------------

- With the Description :
-------------------------------------------------------------------------------
The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command:

$ sudo systemctl disable ntpdate.service
The ntpdate service can be masked with the following command:
$ sudo systemctl mask ntpdate.service
-------------------------------------------------------------------------------

- But the text is not clear whether both disable and mask commands should be executed or not.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.49-13.el7.noarch

How reproducible:

Steps to Reproduce:
1. install "scap-security-guide-0.1.49-13.el7.noarch".
2. Ensure the ntpdate.service is disabled.
3. Scan the system using standard profile "xccdf_org.ssgproject.content_profile_standard"

Actual results:
Rule Id:  "xccdf_org.ssgproject.content_rule_service_ntpdate_disabled"
------------------------------------------------------------
Disable ntpdate Service (ntpdate)          low	     fail
------------------------------------------------------------
The description is not clear.


Expected results:
   The description should have a clear text about what should be done on the system.
Comment 2 Gabriel Gaspar Becker 2020-11-02 08:47:49 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/6298
Comment 3 Gabriel Gaspar Becker 2020-11-10 09:22:28 UTC 
Another patch is required to completely fix this issue: https://github.com/ComplianceAsCode/content/pull/6346
Comment 20 errata-xmlrpc 2021-04-27 11:30:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1383