Bug 1251929 - RHEL-6 USGCB and STIG kickstarts: Switch on use of scap-security-guide RPM from base Red Hat Network channel rather than cloning most recent upstream Git repository content
RHEL-6 USGCB and STIG kickstarts: Switch on use of scap-security-guide RPM fr...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
6.8
Unspecified Unspecified
medium Severity low
: rc
: ---
Assigned To: Jan Lieskovsky
Marek Haicman
:
Depends On:
Blocks: 1378489
  Show dependency treegraph
 
Reported: 2015-08-10 06:40 EDT by Jan Lieskovsky
Modified: 2016-09-22 10:15 EDT (History)
4 users (show)

See Also:
Fixed In Version: scap-security-guide-0.1.27-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1378489 (view as bug list)
Environment:
Last Closed: 2016-05-10 17:40:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2015-08-10 06:40:01 EDT
Description of problem:

The SCAP Security Guide content for Red Hat Enterprise Linux 6 currently provides the following two Anaconda kickstart files:
* ssg-rhel6-usgcb-server-with-gui-ks.cfg (for the USGCB profile) and
* ssg-rhel6-stig-ks.cfg (for the DISA STIG profile)

The definition of these kickstart files currently uses git cloning of most-recent SSG repository content:
* https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg#L173
* https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg#L378

rather than direct use of native scap-security-guide's RPM package content as provided within Red Hat Satellite's base channel for Red Hat Enterprise Linux 6 system.

The former motivation for this behaviour has been to get all the OVAL definitions and remediation scripts for USGCB and DISA STIG profiles for Red Hat Enterprise Linux 6 product (previously cloning the most recent SSG git repository copy was necessary because the native scap-security-guide RPM package included in Red Hat Enterprise Linux 6 did not contain all the necessary definitions).

But from the time the aforementioned two kickstart files have been included in scap-security-guide RPM package in Red Hat Enterprise Linux 6 the situation has changed (the necessary checks are already included in the scap-security-guide RPM package as shipped with Red Hat Enterprise Linux 6), and therefore it is safe to prefer use of native scap-security-guide RPM package in kickstart files too rather than to perform SSG upstream git repository copy.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.21-3.el6.*

How reproducible:
Always

Steps to Reproduce:
1. Use some of USGCB or DISA STIG kickstart SCAP Security Guide kickstart files for Red Hat Enterprise Linux 6 product when installing new RHEL-6 system,
2. After finishing the install perform oscap scan

Actual results:
The RHEL-6 system in question is validated using most recent SSG repository content (IOW the OVAL checks and remediations that weren't present in scap-security-guide-0.1.21 version yet are verified too).

Expected results:
The RHEL-6 system in question should be validated using native scap-security-guide RPM package version, shipped within Red Hat Enterprise Linux 6 base channel.
Comment 3 Marek Haicman 2016-03-08 13:48:31 EST
Verified the kickstart files shipped in version scap-security-guide-0.1.28-2.el6 [pci-dss, stig, usgcb] do remediation based on shipped content, instead of upstream git repository.
Comment 5 errata-xmlrpc 2016-05-10 17:40:20 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html

Note You need to log in before you can comment on or make changes to this bug.