Bug 1465402 - remediation run during anaconda installation shows "notapplicable" for many rules
Summary: remediation run during anaconda installation shows "notapplicable" for many r...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Release Test Team
Depends On: 1520276
TreeView+ depends on / blocked
Reported: 2017-06-27 12:04 UTC by Marek Haicman
Modified: 2018-04-10 18:54 UTC (History)
6 users (show)

Fixed In Version: oscap-anaconda-addon-0.8-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-10 18:53:44 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1021 None None None 2018-04-10 18:54:45 UTC
Red Hat Bugzilla 1472419 None CLOSED Rebase oscap-anaconda-addon to latest upstream version 2019-09-09 13:32:24 UTC

Internal Links: 1472419

Description Marek Haicman 2017-06-27 12:04:42 UTC
Description of problem:
When user selects profile within anaconda, it is expected to have fully compliant system after installation. With the latest SCAP Security Guide, rules which are marked as "machine-only" are not remedied during installation. Thus machine is returned to user with lots of failing rules (for example all audit-related rules)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install machine with selecting hardening profile, for example pci-dss
2. scan machine with selected profile
3. check /root/openscap_data/eval_remediate_results.xml

Actual results:
2) big number of failing rules
3) big number of rules with result "notapplicable"

Expected results:
2) no, or small number of rules failing
3) no rule marked as "notapplicable"

Additional info:

Comment 1 Marek Haicman 2017-07-18 14:18:15 UTC
This bug is more likely to be fixed in scap-security-guide.

Comment 2 Marek Haicman 2017-09-27 13:01:57 UTC
PR https://github.com/OpenSCAP/oscap-anaconda-addon/pull/48 fixes the issue.

The real problem was OAA consuming XCCDF by default, and not using CPE shipped with SSG -> Our special 'cpe:/a:machine' has not been understood then.

By using DS, CPE dictionary bundled in is used, thus problem gets away.

Comment 9 errata-xmlrpc 2018-04-10 18:53:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.