1619689 – Ship profile in line with OSPP v4.2

Bug 1619689 - Ship profile in line with OSPP v4.2

Summary: Ship profile in line with OSPP v4.2

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marek Haicman
QA Contact:	Marek Haicman
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-21 13:38 UTC by Marek Haicman
Modified:	2018-10-30 11:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit) SCAP Security Guide now supports OSPP v4.2 This update of the _scap-security-guide_ packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is `ospp42`, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID `ospp`. SCAP Security Guide now supports OSPP v4.2 This update of the _scap-security-guide_ packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is `ospp42`, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID `ospp`.
Clone Of:
Environment:	(edit)
Last Closed:	2018-10-30 11:47:45 UTC

Attachments	(Terms of Use)
State of profile ospp42 (1.25 MB, text/html) 2018-09-25 23:24 UTC, Marek Haicman	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3308	None	None	None	2018-10-30 11:47 UTC

Description Marek Haicman 2018-08-21 13:38:15 UTC

Description of problem:
OSPP profile shipped in RHEL7 is currently v4.0. As the latest version is v4.2, it's desired to have that version available, either as a replacement, or as a separate profile.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-2.el7

How reproducible:
reliably

Steps to Reproduce:
1. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
2. open /usr/share/doc/scap-security-guide-doc-0.1.40/ssg-rhel7-guide-ospp.html from scap-security-guide-doc
3.

Actual results:
No explicit OSPP profile, and USGCB profile has in the guide this:
NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)

Expected results:
Either explicit OSPP profile is available, following v4.2 or USGCB profile is updated.

Additional info:

Comment 7 Marek Haicman 2018-09-25 23:24 UTC

Created attachment 1486946 [details]
State of profile ospp42

Verified for version scap-security-guide-0.1.40-12.el7

Profile with core OSPP v4.2 rules is part of SCAP Security Guide package, with these statistics:
Total rules: 176
Passing (after remediation): 151
Passing (if https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules is present in /etc/audit/rules.d/): 167
Deliberate failures: 2 (it is up to user to set it appropriately)
Failing remediations: 3 (sudo and sudoedit will pass when remediation is performed once again)
Rules without OVAL: 3 (Ensure Software Patches Installed is special case)

Comment 13 errata-xmlrpc 2018-10-30 11:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308

Note You need to log in before you can comment on or make changes to this bug.