Hide Forgot
Description of problem: When user selects profile within anaconda, it is expected to have fully compliant system after installation. With the latest SCAP Security Guide, rules which are marked as "machine-only" are not remedied during installation. Thus machine is returned to user with lots of failing rules (for example all audit-related rules) Version-Release number of selected component (if applicable): oscap-anaconda-addon-0.7-15.el7 How reproducible: reliably Steps to Reproduce: 1. install machine with selecting hardening profile, for example pci-dss 2. scan machine with selected profile 3. check /root/openscap_data/eval_remediate_results.xml Actual results: 2) big number of failing rules 3) big number of rules with result "notapplicable" Expected results: 2) no, or small number of rules failing 3) no rule marked as "notapplicable" Additional info:
This bug is more likely to be fixed in scap-security-guide.
PR https://github.com/OpenSCAP/oscap-anaconda-addon/pull/48 fixes the issue. The real problem was OAA consuming XCCDF by default, and not using CPE shipped with SSG -> Our special 'cpe:/a:machine' has not been understood then. By using DS, CPE dictionary bundled in is used, thus problem gets away.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1021