Bug 2219532

Summary: systemdunitproperty probe ignores some systemd units
Product: Red Hat Enterprise Linux 9 Reporter: Jan Černý <jcerny>
Component: openscapAssignee: Jan Černý <jcerny>
Status: VERIFIED --- QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: ekolesni, mhaicman, mlysonek, mmarhefk
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.3.8-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2219533 2223981 2223983 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2219533, 2223547, 2223548, 2223981, 2223983    

Description Jan Černý 2023-07-04 07:36:16 UTC 
Description of problem:
The systemdunitproperty probe fails to read information about some systemd units. A common example where this behavior exhibits is the nftables.service unit, which leads to a false positive result for the rule service_nftables_disabled.

For more context, please read https://github.com/ComplianceAsCode/content/issues/10424.

Version-Release number of selected component (if applicable):
openscap-1.3.7-1.el9

How reproducible:
deterministically

Steps to Reproduce:
1. Run "/CoreOS/scap-security-guide/Sanity/machine-hardening CIS Server Level 2"
2. See the output of the final scan (after reboot)


Actual results:
service_nftables_disabled fails after reboot

Expected results:
service_nftables_disabled passes after reboot

Additional info:
Fixed in upstream by https://github.com/OpenSCAP/openscap/pull/1980.