Description of problem:All rules are not being enabled correctly after running scap hardening through appliance_console. Version-Release number of selected component (if applicable):5.7.4.0 How reproducible:100% Steps to Reproduce: 1.provision appliance 2.connect to ssh 3.run scap hardening through appliance_console Actual results:Hardening is not completed correctly. Expected results: SCAP hardening completes successfully Additional info: This works correctly in 5.7.3.2
Which rules are not being satisfied? Are there any differences in the openscap or openscap scanner rpm versions between the versions?
so the rules, I don't think anything is getting applied. As for versions they do also differ. 5.7.4: openscap-1.2.14-2.el7.x86_64 openscap-scanner-1.2.14-2.el7.x86_64 5.7.3.2: openscap-1.2.10-3.el7_3.x86_64 openscap-scanner-1.2.10-3.el7_3.x86_64
https://github.com/ManageIQ/linux_admin/pull/191 https://github.com/ManageIQ/manageiq-gems-pending/pull/275
These changes get us to 20 passing and 26 not applicable rules. In the previous version we had 46 passing rules. The discrepancy seems to be caused by a new version of the scap-security-guide rpm. I was able to downgrade the rpm (to version 0.1.30) and see that the other 26 rules were remediated correctly and show as "passed" in the report after running the console option.
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1496279 to track what I believe is a bug in the scap-security-guide package
Just a heads up, this is also an issue on the latest 5.8.2 builds.
New commit detected on ManageIQ/linux_admin/master: https://github.com/ManageIQ/linux_admin/commit/8f90905cd47cefedddbb25b2478bced77ae7b880 commit 8f90905cd47cefedddbb25b2478bced77ae7b880 Author: Nick Carboni <ncarboni> AuthorDate: Tue Sep 26 17:12:23 2017 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Wed Sep 27 11:47:39 2017 -0400 Add platform attribute to Scap class Newer versions of scap-security-guide (> 0.1.32) add new xccdf files which match our glob pattern, but do not contain the remediations for the rules we want to run. If we edit one of these files rather than the one for our target platform, the rules will not be remediated properly. Specifying the platform allows us to find the file we need. https://bugzilla.redhat.com/show_bug.cgi?id=1493193 lib/linux_admin/scap.rb | 33 ++++++++++++++++++++++----------- spec/data/scap/ssg-rhel6-oval.xml | 0 spec/scap_spec.rb | 25 ++++++++++++++++++++++--- 3 files changed, 44 insertions(+), 14 deletions(-) create mode 100644 spec/data/scap/ssg-rhel6-oval.xml
https://github.com/ManageIQ/linux_admin/pull/192
Also this one https://github.com/ManageIQ/linux_admin/pull/192
New commit detected on ManageIQ/manageiq-gems-pending/master: https://github.com/ManageIQ/manageiq-gems-pending/commit/15da3580d15e016cb785073f27c78d738ad2bd82 commit 15da3580d15e016cb785073f27c78d738ad2bd82 Author: Nick Carboni <ncarboni> AuthorDate: Tue Sep 26 17:29:23 2017 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Tue Sep 26 17:29:23 2017 -0400 Specify rhel7 as the scap security guide platform https://bugzilla.redhat.com/show_bug.cgi?id=1493193 lib/gems/pending/appliance_console/scap.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
https://gitlab.cloudforms.lab.eng.rdu2.redhat.com/cloudforms/cfme_productization/merge_requests/510
Verified in 5.9.0.2