Hide Forgot
+++ This bug was initially created as a clone of Bug #1251929 +++ Description of problem: The SCAP Security Guide content for Red Hat Enterprise Linux 6 currently provides the following two Anaconda kickstart files: * ssg-rhel6-usgcb-server-with-gui-ks.cfg (for the USGCB profile) and * ssg-rhel6-stig-ks.cfg (for the DISA STIG profile) The definition of these kickstart files currently uses git cloning of most-recent SSG repository content: * https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg#L173 * https://github.com/iankko/scap-security-guide/blob/master/RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg#L378 rather than direct use of native scap-security-guide's RPM package content as provided within Red Hat Satellite's base channel for Red Hat Enterprise Linux 6 system. The former motivation for this behaviour has been to get all the OVAL definitions and remediation scripts for USGCB and DISA STIG profiles for Red Hat Enterprise Linux 6 product (previously cloning the most recent SSG git repository copy was necessary because the native scap-security-guide RPM package included in Red Hat Enterprise Linux 6 did not contain all the necessary definitions). But from the time the aforementioned two kickstart files have been included in scap-security-guide RPM package in Red Hat Enterprise Linux 6 the situation has changed (the necessary checks are already included in the scap-security-guide RPM package as shipped with Red Hat Enterprise Linux 6), and therefore it is safe to prefer use of native scap-security-guide RPM package in kickstart files too rather than to perform SSG upstream git repository copy. Version-Release number of selected component (if applicable): scap-security-guide-0.1.21-3.el6.* How reproducible: Always Steps to Reproduce: 1. Use some of USGCB or DISA STIG kickstart SCAP Security Guide kickstart files for Red Hat Enterprise Linux 6 product when installing new RHEL-6 system, 2. After finishing the install perform oscap scan Actual results: The RHEL-6 system in question is validated using most recent SSG repository content (IOW the OVAL checks and remediations that weren't present in scap-security-guide-0.1.21 version yet are verified too). Expected results: The RHEL-6 system in question should be validated using native scap-security-guide RPM package version, shipped within Red Hat Enterprise Linux 6 base channel.
This should be fixed upstream. See https://github.com/OpenSCAP/scap-security-guide/pull/1581
Verified fix in version scap-security-guide-0.1.33-4.el7.noarch OLD (scap-security-guide-0.1.30-3.el7.noarch): :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should not contain 'git clone' :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should not contain 'git clone' :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should not contain 'git clone' :: [ FAIL ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg' should contain 'content-type = scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg' should contain 'content-type = scap-security-guide' :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 7 good, 6 bad :: [ FAIL ] :: RESULT: Test NEW: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should contain '^scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg' should contain '^oscap xccdf eval --remediate' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg' should contain 'content-type = scap-security-guide' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg' should not contain 'git clone' :: [ PASS ] :: File '/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg' should contain 'content-type = scap-security-guide'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2064