Bug 1465686 - multiple ssg rules missing / failing remediations
multiple ssg rules missing / failing remediations
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Watson Yuuma Sato
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 19:53 EDT by Marek Haicman
Modified: 2018-06-20 22:26 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marek Haicman 2017-06-27 19:53:22 EDT
Description of problem:
Multiple rules shipped in SSG have either missing remediations, or remediations that fails when applied on freshly installed system. These rules are (to help with development, it's grouped by example of profile where these are enabled):

(STIG profile)
xccdf_org.ssgproject.content_rule_ntp_set_maxpoll (missing)
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services (missing)
xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing)
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root (failing)
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode (failing)

(PCI-DSS profile)
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated (missing)

(OSPP profile)
xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding (missing)
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route (missing)
xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc (missing)
xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable (missing)
xccdf_org.ssgproject.content_rule_aide_scan_notification (failing)

(C2S profile)
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info (missing)
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec (missing)
xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions (missing)


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.33-5.el7.noarch

How reproducible:
reliably

Steps to Reproduce:
1. install fresh RHEL7.4 machine
2. perform profile based remediations for aforementioned profiles



Actual results:
2. rules listed  in description are still failing after remediation

Expected results:
2. rules listed in description are passing after remediation

Additional info:
Comment 1 Martin Preisler 2017-08-01 14:04:52 EDT
Upstream patch related to this: https://github.com/OpenSCAP/scap-security-guide/pull/2171
Please note that this patch is not fixing everything in this BZ.
Comment 2 Watson Yuuma Sato 2017-11-16 09:04:46 EST
Some more fixes:

For Rule xccdf_org.ssgproject.content_rule_ntp_set_maxpoll, which I believe actually is xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll:
https://github.com/OpenSCAP/scap-security-guide/pull/2429
https://github.com/OpenSCAP/scap-security-guide/pull/2432

For Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost (failing):
https://github.com/OpenSCAP/scap-security-guide/pull/2176

Note You need to log in before you can comment on or make changes to this bug.