Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1575210 - Bigger tailoring file is generated on RHEL7 wrt RHEL6
Summary: Bigger tailoring file is generated on RHEL7 wrt RHEL6
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-workbench
Version: 7.5
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-05 06:14 UTC by amitkuma
Modified: 2019-02-26 17:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-26 17:21:54 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description amitkuma 2018-05-05 06:14:05 UTC
Description of problem:

If I generate tailoring file for only 1 rule Big file is
generated with all other rules marked selected="false"
     <xccdf:select
idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"
selected="true"/>
     <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh_server"
selected="true"/>
     <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh"
selected="true"/>
     <xccdf:select idref="xccdf_org.ssgproject.content_group_services"
selected="true"/>
     <xccdf:set-value
idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">3600</xccdf:set-value>

This only happens in RHEL-7.
While in RHEL-6, I found very small tailoring file gets generated with
only rule specified.

There is an customer who has following requirement:
We need a small tailoring file as it needs to be embedded and written
out from the kickstart file.

I believe there is change in scap-workbench code b/w RHEL6,7. 
How can we generate smaller tailoring file in RHEL7 as it happened in RHEL6? 

Version-Release number of selected component (if applicable):
# rpm -qa | grep scap
scap-security-guide-0.1.36-7.el7.noarch
openscap-1.2.16-6.el7.x86_64
perl-Pod-Escapes-1.04-292.el7.noarch
scap-workbench-1.1.6-1.el7.x86_64
openscap-scanner-1.2.16-6.el7.x86_64
openscap-containers-1.2.16-6.el7.noarch
scap-security-guide-doc-0.1.36-7.el7.noarch
openscap-utils-1.2.16-6.el7.x86_64

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

How reproducible:
all times

Steps to Reproduce:
1. Generate a tailoring file using scap-workbench on RHEL7 with only 1 rule.
2. Generate a tailoring file using scap-workbench on RHEL6 with same rule.
3. You will find tailoring file generated on RHEL7 is much bigger although all rules are setted to false except 1 selected.

Actual results:
Bigger tailoring file generated with unwanted rules setted to false.

Expected results:
Smaller tailoring file should be generated.

Additional info:
I believe use case of generating bigger tailoring file having unwanted rules=false does not serve any purpose, Since it would lead to unneccesary checks in data-structure where rules are parsed and stored.
We need to iterate in table to search for 'true' entry consuming much of CPU cycles in comp instruction.

Would be going into scap-workbench code to look for fix, as i get time..

Comment 2 Marek Haicman 2019-02-26 17:21:54 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.