Bug 1944297
| Summary: | xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed does not properly check for SELinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Mullett <rmullett> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED ERRATA | QA Contact: | Milan Lysonek <mlysonek> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.9 | CC: | ayfantis, ggasparb, jreznik, mhaicman, mlysonek, paygupta, wsato |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.57-4.el7_9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-23 17:14:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hello. I do interpret the description as a reverse implication. That means not that SELinux is a replacement for HIPS, but that HIPS is incompatible with SELinux. Now quick search revealed it was historically correct: https://kc.mcafee.com/corporate/index?page=content&id=KB83450&locale=en_US Given the links content, the description probably could get an update. Either to explicitly state the patch version with the support, or just omit the statement about SELinux. The behaviour is correct, though. Ryan, if you agree, let's change the summary of the BZ to point out it's a description inaccuracy only. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4781 |
Description of problem: The xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed check shows failure when SELinux is enabled. According to the description of this rule, if SELinux is enabled the MFEHipslsm module does not need to be installed or enabled, and it is not compatible with SELinux: description: |- Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Version-Release number of selected component (if applicable): scap-security-guide-0.1.52-2.el7_9.noarch How reproducible: Always Steps to Reproduce: 1. # cd /usr/share/xml/scap/ssg/content 2. # oscap xccdf eval --profile stig --rule package_MFEhiplsm_installed --fetch-remote-resources --results ~/results.xml --report ~/report.html ssg-rhel7-xccdf.xml Actual results: # oscap xccdf eval --profile stig --rule package_MFEhiplsm_installed --fetch-remote-resources --results ~/results.xml --report ~/report.html ssg-rhel7-xccdf.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok Title Install the Host Intrusion Prevention System (HIPS) Module Rule package_MFEhiplsm_installed Ident CCE-80368-4 Result fail Expected results: Description should be changed to properly reflect the current situation now that SELinux and HIPS are no longer incompatible.