Bug 2176927

Summary: STIG scan fails on xccdf_org.ssgproject.content_rule_fapolicy_default_deny
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: ggasparb, mhaicman, mlysonek, rsroka, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: rsroka: needinfo? (vpolasek)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-03-09 16:42:43 UTC 
Description of problem:

We have a customer requiring to implement full STIG compliance, including xccdf_org.ssgproject.content_rule_fapolicy_default_deny rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Title   Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
Rule    xccdf_org.ssgproject.content_rule_fapolicy_default_deny
Ident   CCE-86478-5
Result  fail
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

On a system I installed with STIG profile selected at installation time, the rule fails, because there is no "deny perm=any all : all" in what we ship.
It looks like a "final rule" is missing, e.g. /etc/fapolicyd/rules.d/99-deny-everything.rules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
deny perm=any all : all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:

Always
Comment 1 Vojtech Polasek 2023-03-13 08:40:32 UTC 
Hello Renaud,
I am not sure what you are asking for. Note that the rule xccdf_org.ssgproject.content_rule_fapolicy_default_deny has no remediation, it performs only the check because we can't know which applications should be permitted.
Do you suggest that the check should be altered? Or that the default shipped file should be altered?
Comment 2 Renaud Métrich 2023-03-13 09:25:56 UTC 
Sorry for confusion, I'm asking for a new file /etc/fapolicyd/rules.d/99-deny-everything.rules being shipped, so that the rule doesn't fail by default.