Bug 2129100

Summary: After provisioning with ospp profile remediation, enable_fips_mode fails on s390x
Product: Red Hat Enterprise Linux 8 Reporter: Jan Pazdziora <jpazdziora>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: MODIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: ggasparb, jcerny, jjaburek, jpazdziora, maburgha, matyc, mhaicman, mlysonek, sgrubb, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.Fixed rule enable_fips_mode on s390x architecture The OVAL check in rule `enable_fips_mode` has been fixed to work correctly on the s390x architecture. The check will not check the contents of `/boot/grub2/grubenv` file which isn't relevant on the 390x architecture because on this architecture the GRUB bootloader isn't used. On the s390x architecture, only a test if argument `fips=1` for Linux kernel is present in `/boot/loader/entries/.*.conf` files is checked.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1940119    

Description Jan Pazdziora 2022-09-22 14:00:32 UTC 
Description of problem:

When provisioning system with org_fedora_oscap addon and ospp profile, and then checking with oscap xccdf eval, the enable_fips_mode rule fails but only on s390x.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.63-1.el8_6.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Boot the latest RHEL 8.6 compose with fips=1 parameter.
2. yum install -y /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3. oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  error

Expected results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fixed

Additional info:

The expected result is from latest RHEL 8.6 x86_64, and also from RHEL 8.6 GA s390x with scap-security-guide-0.1.60-7.el8.

On that latest RHEL 8.6 s390x where the remediation resulted in Error, when scap-security-guide gets downgraded to that previous scap-security-guide-0.1.60-7.el8, oscap xccdf eval suddently passes.
Comment 2 Jan Pazdziora 2022-09-22 16:16:10 UTC 
I believe the problem comes from oval:ssg-test_grubenv_fips_mode:tst:1 which should not be present for non-grub environments like s390x.
Comment 4 Vojtech Polasek 2023-06-21 09:31:59 UTC 
*** Bug 2185882 has been marked as a duplicate of this bug. ***
Comment 5 Marcus Burghardt 2023-07-25 10:28:28 UTC 
Fix is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10897