Bug 2170530

Summary: xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should allow whitespace in "smtpd_client_restrictions" value
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: MODIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 8.7CC: ggasparb, jcerny, jjaburek, matyc, mhaicman, mlysonek, peter.vreman, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
Cause: the OVAL check of SCAP rule xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay was too strict and it did not account for Postconf configuration assignment statements which contained white spaces around the "=" sign. Consequence: The rule was reported as failing in the final report eventhough there existed a configuration technically meeting requirements of the rule. Fix: The rule was modified so that the check accepts statements with white spaces around the "=" sign. Result: Rule is now marked as passing in the final report for correct configuration statements.
Story Points: ---
Clone Of:
: 2228471 2228472 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228471, 2228472    

Description Renaud Métrich 2023-02-16 15:57:00 UTC
Description of problem:

See Upstream PR https://github.com/ComplianceAsCode/content/pull/10219.

From postconf(5) manpage, keywords for property smtpd_client_restrictions can be separated by commas and/or whitespaces.

With current code using whitespaces makes the rule fail.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.66-2.el8_7

How reproducible:

Always

Steps to Reproduce:
1. Add "smtpd_client_restrictions = permit_mynetworks, reject" in /etc/postfix/main.cfg
2. Execute the rule

Actual results:

Fail

Expected results:

Pass

Comment 2 Vojtech Polasek 2023-06-21 09:10:06 UTC
The PR https://github.com/ComplianceAsCode/content/pull/10219 has been merged.