Bug 1619689 – Ship profile in line with OSPP v4.2

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1619689 - Ship profile in line with OSPP v4.2

Summary:	Ship profile in line with OSPP v4.2

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide (Show other bugs)
Sub Component:
Version:	7.6
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Marek Haicman
QA Contact:	Marek Haicman
Docs Contact:	Mirek Jahoda

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-21 09:38 EDT by Marek Haicman
Modified:	2018-10-30 07:47 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	scap-security-guide-0.1.40-4.el7
Doc Type:	Enhancement
Doc Text:	SCAP Security Guide now supports OSPP v4.2 This update of the _scap-security-guide_ packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is `ospp42`, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID `ospp`.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-10-30 07:47:45 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
State of profile ospp42 (1.25 MB, text/html) 2018-09-25 19:24 EDT, Marek Haicman	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3308	None	None	None	2018-10-30 07:47 EDT

Groups: None (edit)

Description Marek Haicman 2018-08-21 09:38:15 EDT

Description of problem:
OSPP profile shipped in RHEL7 is currently v4.0. As the latest version is v4.2, it's desired to have that version available, either as a replacement, or as a separate profile.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-2.el7

How reproducible:
reliably

Steps to Reproduce:
1. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
2. open /usr/share/doc/scap-security-guide-doc-0.1.40/ssg-rhel7-guide-ospp.html from scap-security-guide-doc
3.

Actual results:
No explicit OSPP profile, and USGCB profile has in the guide this:
NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)

Expected results:
Either explicit OSPP profile is available, following v4.2 or USGCB profile is updated.

Additional info:

Comment 7 Marek Haicman 2018-09-25 19:24 EDT

Created attachment 1486946 [details]
State of profile ospp42

Verified for version scap-security-guide-0.1.40-12.el7

Profile with core OSPP v4.2 rules is part of SCAP Security Guide package, with these statistics:
Total rules: 176
Passing (after remediation): 151
Passing (if https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules is present in /etc/audit/rules.d/): 167
Deliberate failures: 2 (it is up to user to set it appropriately)
Failing remediations: 3 (sudo and sudoedit will pass when remediation is performed once again)
Rules without OVAL: 3 (Ensure Software Patches Installed is special case)

Comment 13 errata-xmlrpc 2018-10-30 07:47:45 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308

Note You need to log in before you can comment on or make changes to this bug.