Bug 2218880

Summary: xccdf_org.ssgproject.content_rule_service_rngd_enabled broken remediation rule
Product: [Fedora] Fedora Reporter: Sandro Bonazzola <sbonazzo>
Component: scap-security-guideAssignee: Matthew Burket <mburket>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 40CC: evgenyz, jcerny, maburgha, matyc, mburket, mlysonek, mmarhefk, pvrabec, vpolasek, wsato
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-08-26 22:00:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sandro Bonazzola 2023-06-30 11:44:55 UTC 
Benchmark URL	#scap_org.open-scap_comp_ssg-fedora-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_FEDORA
Benchmark version	0.1.68
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Test system	cpe:/a:redhat:openscap:1.3.8

xccdf_org.ssgproject.content_rule_service_rngd_enabled tries to enable and start rngd service without installing rng-tools if missing.

Remediation shell script shows:
```bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'rngd.service'
"$SYSTEMCTL_EXEC" start 'rngd.service'
"$SYSTEMCTL_EXEC" enable 'rngd.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
```

and it fails as `rngd.service` is missing. This is solvable by installing `rng-tools` package before enabling the service.
I think this package installation should be part of the remediation.



Reproducible: Always

Steps to Reproduce:
1. ensure rng-tools is not installed
2. Run scap with `OSPP - Protection Profile for General Purpose Operating Systems` profile
3. Try to remediate xccdf_org.ssgproject.content_rule_service_rngd_enabled rule
Actual Results:  
Remediation fails due to missing rng-tools package

Expected Results:  
Remediation succeed.
Comment 1 Fedora Release Engineering 2023-08-16 08:11:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Comment 2 Sandro Bonazzola 2024-07-29 10:36:51 UTC 
Still there in Fedora 40
Comment 3 Matthew Burket 2024-07-30 22:11:40 UTC 
PR that should help: https://github.com/ComplianceAsCode/content/pull/12244
Comment 4 Matthew Burket 2024-07-31 14:23:13 UTC 
The linked PR has been merged and should be released with v0.1.74.
Comment 5 Matthew Burket 2024-08-26 22:00:52 UTC 
The package has been updated to 0.1.74-1.fc40 and that version should have a fix for this issue.

Thanks for reporting this issue.