Bug 1520493
| Summary: | open-scap reports an "error" when checking "Set Daemon Umask" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | SHAURYA <sshaurya> | ||||
| Component: | scap-security-guide | Assignee: | Jan Černý <jcerny> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | mhaicman, mpreisle, mthacker, openscap-maint, pvrabec, wsato | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | scap-security-guide-0.1.36-6.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 12:21:26 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thank you for reporting this bug. It's a bug in SCAP Security Guide in rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. I have a patch submitted that fixes this bug to upstream https://github.com/OpenSCAP/scap-security-guide/pull/2476 . You can temporarily workaround this issue by manually removing "<external_variable>" elements with id="oval:ssg-var_umask_for_daemons_umask_as_number:var:1" from the datastream. PR merged -> POST state Verified with SSG Test Suite https://github.com/OpenSCAP/scap-security-guide/tree/master/tests [Please note I had to add rule_umask_for_daemons to C2S profile for SSG Test Suite to consume it, and update scenarios accordingly. It won't work with profile out of the box.] OLD (scap-security-guide-0.1.33-6.el7.noarch) INFO - xccdf_org.ssgproject.content_rule_umask_for_daemons ERROR - Script adequate.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. INFO - Script strong_weak.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. ERROR - Script super_strong.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_umask_for_daemons'. INFO - All snapshots reverted successfully NEW (scap-security-guide-0.1.36-7.el7.noarch) INFO - xccdf_org.ssgproject.content_rule_umask_for_daemons INFO - Script adequate.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script strong_weak.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script super_strong.pass.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_C2S OK INFO - All snapshots reverted successfully PR with test coverage: https://github.com/OpenSCAP/scap-security-guide/pull/2541 The test was merged in upstream test suite. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0761 |
Created attachment 1362712 [details] Openscap scan full result Description of problem: The "Set Daemon Umask" test says "error" in the oscap report. The "hover text" says that "the checking engine could not complete the evaluation". I can't work out why this is erroring as the /etc/init.d/functions file looks OK to me. Version-Release number of selected component (if applicable): using openscap-1.2.10-2 Actual results: Provides false report for /etc/init.d/functions file. Expected results: Should not provide false positive report for a scan. Additional info: San results attached