Bug 1465478 - default value is not taken into consideration, unless overwritten by tailoring
default value is not taken into consideration, unless overwritten by tailoring
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-workbench (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: wcerasop
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2017-06-27 09:56 EDT by Marek Haicman
Modified: 2017-06-28 21:20 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marek Haicman 2017-06-27 09:56:19 EDT
Description of problem:
Rule ipv4_conf_all_secure_redirects does not use value defined by the profile, but some internal one. This is easily observable in scap-security-guide-0.1.30-3.el7.noarch, where value default should be [it's a bug actually] 1, but scan passes for 0. Only after selecting one in the tailoring (or selecting profile nist-cn-il-al, which has explicit "enable" in the profile), it starts failing.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. prepare machine to have runtime and configuration of ipv4_conf_all_secure_redirects = 0
2. scan with default 0.1.30-3 scap-security-guide
3. scan with re-selected value = 1

Actual results:
2) passing
3) failing

Expected results:
2) failing
3) failing

Additional info:
Comment 1 Marek Haicman 2017-06-27 10:03:58 EDT
I am sorry, this is actually display bug in scap-workbench - C2S profile I have tested it on has explicit "disable" value, but scap-workbench still shows value as "1". If I use nist-cn-il-al, it fails correctly [i.e. 1 is expected] and when rule is enabled for different profile, it also expects 1 (i.e. value default).

Note You need to log in before you can comment on or make changes to this bug.