Bug 2129100

Summary: After provisioning with ospp profile remediation, enable_fips_mode fails on s390x
Product: Red Hat Enterprise Linux 8 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: unspecified Docs Contact: Petr Hybl <phybl>
Priority: unspecified    
Version: 8.6CC: ggasparb, jcerny, jjaburek, jpazdziora, maburgha, matyc, mhaicman, mjahoda, mlysonek, sgrubb, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.The SCAP `enable_fips_mode` rule now checks only `fips=1` on 64-bit IBM Z architecture Previously, the SCAP Security Guide rule `enable_fips_mode` did check the contents of the `/boot/grub2/grubenv` file. Consequently, the 64-bit IBM Z architecture did not use `/boot/grub2/grubenv` file for FIPS mode. With this update, the OVAL rule `enable_fips_mode` now test if argument `fips=1` for Linux kernel is present in `/boot/loader/entries/.*.conf` file on 64-bit IBM Z architecture.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:36:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1940119    

Description Jan Pazdziora (Red Hat) 2022-09-22 14:00:32 UTC 
Description of problem:

When provisioning system with org_fedora_oscap addon and ospp profile, and then checking with oscap xccdf eval, the enable_fips_mode rule fails but only on s390x.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.63-1.el8_6.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Boot the latest RHEL 8.6 compose with fips=1 parameter.
2. yum install -y /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3. oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  error

Expected results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fixed

Additional info:

The expected result is from latest RHEL 8.6 x86_64, and also from RHEL 8.6 GA s390x with scap-security-guide-0.1.60-7.el8.

On that latest RHEL 8.6 s390x where the remediation resulted in Error, when scap-security-guide gets downgraded to that previous scap-security-guide-0.1.60-7.el8, oscap xccdf eval suddently passes.
Comment 2 Jan Pazdziora (Red Hat) 2022-09-22 16:16:10 UTC 
I believe the problem comes from oval:ssg-test_grubenv_fips_mode:tst:1 which should not be present for non-grub environments like s390x.
Comment 4 Vojtech Polasek 2023-06-21 09:31:59 UTC 
*** Bug 2185882 has been marked as a duplicate of this bug. ***
Comment 5 Marcus Burghardt 2023-07-25 10:28:28 UTC 
Fix is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10897
Comment 21 errata-xmlrpc 2023-11-14 15:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056