Hide Forgot
Description of problem: Following rules fail to remediate in a fresh RHEL 7.5 install. - xccdf_org.ssgproject.content_rule_partition_for_tmp - xccdf_org.ssgproject.content_rule_partition_for_var - xccdf_org.ssgproject.content_rule_partition_for_var_log_audit - xccdf_org.ssgproject.content_rule_partition_for_home - xccdf_org.ssgproject.content_rule_aide_scan_notification - xccdf_org.ssgproject.content_rule_mount_option_home_nosuid - xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable - xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc - xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions - xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action - xccdf_org.ssgproject.content_rule_audit_rules_login_events - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete - xccdf_org.ssgproject.content_rule_service_kdump_disabled - xccdf_org.ssgproject.content_rule_sssd_enable_pam_services - xccdf_org.ssgproject.content_rule_ldap_client_start_tls - xccdf_org.ssgproject.content_rule_ensure_logrotate_activated Version-Release number of selected component (if applicable): SSG in RHEL 7.5 is 0.1.36-7 How reproducible: always Steps to Reproduce: 1. Install RHEL 7.5 2. Scan and remediate system using PCI-DSS, DISA STIG or USGCB profile. 3. Actual results: Rules listed above fail to remediate. Expected results: Rules listed can remediated system. Additional info:
Fixes for the rules - https://github.com/OpenSCAP/scap-security-guide/pull/2679 - xccdf_org.ssgproject.content_rule_partition_for_tmp - xccdf_org.ssgproject.content_rule_partition_for_var - xccdf_org.ssgproject.content_rule_partition_for_var_log_audit - xccdf_org.ssgproject.content_rule_partition_for_home - https://github.com/OpenSCAP/scap-security-guide/pull/2696 - xccdf_org.ssgproject.content_rule_mount_option_home_nosuid - https://github.com/OpenSCAP/scap-security-guide/pull/2673 - xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable - https://github.com/OpenSCAP/scap-security-guide/pull/2671 - xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc - xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions - https://github.com/OpenSCAP/scap-security-guide/pull/2554 and - https://github.com/OpenSCAP/scap-security-guide/pull/2667 - xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action - https://github.com/OpenSCAP/scap-security-guide/pull/2607 - xccdf_org.ssgproject.content_rule_audit_rules_login_events - https://github.com/OpenSCAP/scap-security-guide/pull/2667 - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - https://github.com/OpenSCAP/scap-security-guide/pull/2532 - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init - xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete - https://github.com/OpenSCAP/scap-security-guide/pull/2698 - xccdf_org.ssgproject.content_rule_service_kdump_disabled - https://github.com/OpenSCAP/scap-security-guide/pull/2688 - xccdf_org.ssgproject.content_rule_sssd_enable_pam_services - https://github.com/OpenSCAP/scap-security-guide/pull/2685 - xccdf_org.ssgproject.content_rule_ldap_client_start_tls - https://github.com/OpenSCAP/scap-security-guide/pull/2664 - xccdf_org.ssgproject.content_rule_ensure_logrotate_activated Rule xccdf_org.ssgproject.content_rule_aide_scan_notification is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1540505 Rule xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading is handled in https://bugzilla.redhat.com/show_bug.cgi?id=1547694
Agreed and approved
For rule xccdf_org.ssgproject.content_rule_audit_rules_login_events, the PR is actually https://github.com/OpenSCAP/scap-security-guide/pull/2628. And https://github.com/OpenSCAP/scap-security-guide/pull/2733 also needs to be considered.
Verified for version scap-security-guide-0.1.40-12.el7.noarch Out of the rules listed in description of the bug, there are two that are persisting: *xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands * problem stems from different OVAL and remediation approach. OVAL expects to have rule even for `sudoedit`, even though it is just a symlink to `sudo`. Remediation creates only `sudo` rule. This failure is safe. * xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading Rest of the listed rules are fixed. There are new rules without remediation or failing for newest 0.1.40-12. These will be tracked in separate bugzillas.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3308