Bug 2164995

Summary: ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.
Product: Red Hat Enterprise Linux 9 Reporter: Shreyas Mahangade <smahanga>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ggasparb, jcerny, jjaburek, jwright, maburgha, mhaicman, mlysonek, openscap-maint, sbalasub, vpolasek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
.Align remediations with rule description in rule configure_openssl_cryptopolicy The rule configure_openssl_cryptopolicy has been updated to correctly handle the `=` sign in OpenSSL configuration files. The remediation scripts are now aligned with rule description. The remediation will now insert the following line including the `=` sign: `.include = /etc/crypto-policies/back-ends/opensslcnf.config`
 Story Points: ---
Clone Of:
: 2192893 2228435 2228436 (view as bug list) Environment:
Last Closed: 2023-08-09 13:12:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2192893, 2228435, 2228436    

Description Shreyas Mahangade 2023-01-27 09:49:11 UTC 
Description of problem:

The SCAP security guide remediation for add .include for opensslcnf.config to crypto_policy section in RHEL 8 and RHEL 9 adds a line beginning with ".include =". The STIG check expects it to just be ".include" without the = (equals) symbol. Documentation suggests that the use of = here is for backward-compatibility with older versions so that it is harmlessly discarded if not supported. However, we do not want silent disabling of this include, and RHEL 8/9 include the necessary support anyway. Please amend to remove the = (equals) symbol. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Step 1. Install a RHEL 9.1 VM/system.
Step 2. Install the scap-security-guide package.
Step 3. Bring up /usr/share/scap-security-guide/ansible/rhel9-playbook-stig.yml in your favorite editor.
Step 4. Search for a line containing ".include =".

Actual results:

scap adds ".include =" to opensslcnf.config 

Expected results:

scap should add ".inlcude " to opensslcnf.config 

Additional info:
Comment 15 Marcus Burghardt 2023-07-20 13:29:14 UTC 
Patch for this rule is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10828
Comment 16 Jan Černý 2023-07-24 09:30:46 UTC 
con