1371555 – rpm_verify_hashes does not check documentation files

Bug 1371555 - rpm_verify_hashes does not check documentation files

Summary: rpm_verify_hashes does not check documentation files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Preisler
QA Contact:	Marek Haicman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-30 13:04 UTC by Marek Haicman
Modified:	2017-08-01 12:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:	scap-security-guide-0.1.32-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:23:38 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2064	0	normal	SHIPPED_LIVE	scap-security-guide bug fix and enhancement update	2017-08-01 16:05:50 UTC

Description Marek Haicman 2016-08-30 13:04:38 UTC

Description of problem:
When checking hashes of installed files, changes to the documentation is not taken into account, even though it might be also dangerous, and more importantly - there shouldn't be a reason to alter distributed documentation files. (Or is there?)

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. append something to the scap-workbench user manual
2. run rpm_verify_hashes rule [is for example part of pci_dss profile
(and for comparison)
3. rpm -Va | grep '^..5'

Actual results:
Output of 3. mentions user manual.
Report produced by oscap does not mention it, and possibly passes

Expected results:
Output of 3. mentions user manual.
Report produced by oscap does point out modified user manual, and rule fails.

Additional info:

Comment 1 Martin Preisler 2017-03-06 21:58:33 UTC

Upstream fix proposed: https://github.com/OpenSCAP/scap-security-guide/pull/1738

Comment 4 Marek Haicman 2017-06-22 22:40:28 UTC

Verified for version scap-security-guide-0.1.33-5.el7.noarch
Verification performed using SSG Test Suite

OLD:
scap-security-guide-0.1.30-3.el7.noarch
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script fresh_system.pass.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
INFO - Script bad_document.fail.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial
ERROR - Rule result should have been "fail", but is "pass"!


NEW:
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script fresh_system.pass.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
INFO - Script bad_document.fail.sh using profile xccdf_org.ssgproject.content_profile_pci-dss
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - Rule result should have been "fixed", but is "fail"!

Note: ERROR in NEW phase is artefact of SSG Test Suite rough edges - it expects remediation, but for this rule there no remediation is available. It failed initial scan as expected, though.

Comment 5 errata-xmlrpc 2017-08-01 12:23:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064

Note You need to log in before you can comment on or make changes to this bug.