Bug 1399074 - Evaluation of RHEL6 system after installing it from STIG kickstart reports some failing rules
Summary: Evaluation of RHEL6 system after installing it from STIG kickstart reports so...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide
Version: 6.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-28 08:59 UTC by Matus Marhefka
Modified: 2017-12-06 11:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-06 11:38:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matus Marhefka 2016-11-28 08:59:29 UTC 
Description of problem:
Install RHEL6 system (server variant) from STIG kickstart (ssg-rhel6-stig-ks.cfg) provided by scap-security-guide package. After evaluation of STIG content on the installed system the following rules are failing:
===
These are the unexpected results:
Found 5 nodes:
-- NODE --
<rule-result idref="install_antivirus" time="2016-11-24T04:07:05" severity="low" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27529-7</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000284</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-install_antivirus:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>-- NODE --
<rule-result idref="accounts_umask_etc_csh_cshrc" time="2016-11-24T04:08:59" severity="low" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27034-8</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000343</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="var_accounts_user_umask" />
        <check-content-ref name="oval:ssg-accounts_umask_etc_csh_cshrc:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>-- NODE --
<rule-result idref="smartcard_auth" time="2016-11-24T04:09:00" severity="medium" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27440-7</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000349</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-smartcard_auth:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>-- NODE --
<rule-result idref="rsyslog_files_permissions" time="2016-11-24T04:09:02" severity="medium" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-27190-8</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000135</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-rsyslog_files_permissions:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>-- NODE --
<rule-result idref="rsyslog_remote_loghost" time="2016-11-24T04:09:02" severity="low" weight="1.000000">
      <result>fail</result>
      <ident system="http://cce.mitre.org">CCE-26801-1</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000136</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg-rsyslog_remote_loghost:def:1" href="ssg-rhel6-oval.xml" />
      </check>
    </rule-result>
===

scap-security-guide-0.1.28-3.el6.noarch

How reproducible:
Always

Actual results:
Evaluation of STIG content on the system installed from STIG kickstart reports failing rules.

Expected results:
Evaluation of STIG content on the system installed from STIG kickstart reports that system is STIG compliant.


Additional info:
Comment 1 Matus Marhefka 2016-11-28 09:05:02 UTC 
Evaluation of STIG content also reports some 'notchecked' results:
===
These are the unexpected results:
Found 3 nodes:
-- NODE --
<rule-result idref="encrypt_partitions" time="2016-11-24T04:05:07" severity="low" weight="1.000000">
      <result>notchecked</result>
      <ident system="http://cce.mitre.org">CCE-27596-6</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000275</ident>
      <message severity="info">No candidate or applicable check found.</message>
      <check system="ocil-transitional">
        <check-export export-name="encryption must be used and is not employed" value-id="conditional_clause" />
        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
Determine if encryption must be used to protect data on the system. 
</check-content>
      </check>
    </rule-result>-- NODE --
<rule-result idref="install_hids" time="2016-11-24T04:07:05" severity="medium" weight="1.000000">
      <result>notchecked</result>
      <ident system="http://cce.mitre.org">CCE-27409-2</ident>
      <ident system="http://cce.mitre.org">DISA FSO RHEL-06-000285</ident>
      <message severity="info">No candidate or applicable check found.</message>
      <check system="ocil-transitional">
        <check-export export-name="no host-based intrusion detection tools are installed" value-id="conditional_clause" />
        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
Inspect the system to determine if intrusion detection software has been installed. 
Verify this intrusion detection software is active.
</check-content>
      </check>
    </rule-result>-- NODE --
<rule-result idref="account_temp_expire_date" time="2016-11-24T04:08:59" severity="low" weight="1.000000">
      <result>notchecked</result>
      <ident system="http://cce.mitre.org">CCE-27474-6</ident>
      <message severity="info">No candidate or applicable check found.</message>
      <check system="ocil-transitional">
        <check-export export-name="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame" value-id="conditional_clause" />
        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
For every temporary and emergency account, run the following command
to obtain its account aging and expiration information:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chage -l <html:i>USER</html:i></html:pre>
Verify each of these accounts has an expiration date set as documented.
</check-content>
      </check>
    </rule-result>
===

Why are these rules 'notchecked'?
Comment 6 Jan Kurik 2017-12-06 11:38:28 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Note You need to log in before you can comment on or make changes to this bug.