Bug 2219533

Summary: systemdunitproperty probe ignores some systemd units
Product: Red Hat Enterprise Linux 8 Reporter: Jan Černý <jcerny>
Component: openscapAssignee: Jan Černý <jcerny>
Status: VERIFIED --- QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.9CC: ekolesni, mhaicman, mlysonek, mmarhefk, qe-baseos-security
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.3.8-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2219532
: 2223547 2223548 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2219532, 2223981, 2223983    
Bug Blocks: 2223547, 2223548    

Description Jan Černý 2023-07-04 07:46:46 UTC 
+++ This bug was initially created as a clone of Bug #2219532 +++

Description of problem:
The systemdunitproperty probe fails to read information about some systemd units. A common example where this behavior exhibits is the nftables.service unit, which leads to a false positive result for the rule service_nftables_disabled.

For more context, please read https://github.com/ComplianceAsCode/content/issues/10424.

Version-Release number of selected component (if applicable):
openscap-1.3.7-1.el8

How reproducible:
deterministically

Steps to Reproduce:
1. Run "/CoreOS/scap-security-guide/Sanity/machine-hardening CIS Server Level 2"
2. See the output of the final scan (after reboot)


Actual results:
service_nftables_disabled fails after reboot

Expected results:
service_nftables_disabled passes after reboot

Additional info:
Fixed in upstream by https://github.com/OpenSCAP/openscap/pull/1980.