Bug 1630739
| Summary: | Rules not applicable to containers are not marked as "machine only" anymore | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> | |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> | |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | high | |||
| Version: | 7.6 | CC: | jcerny, matyc, mhaicman, mjahoda, mthacker, openscap-maint, salmy, toneata | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | scap-security-guide-0.1.43-4.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
.`scap-security-guide` now correctly skips rules that are not applicable to containers and container images
SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result `not applicable` is reported when scanning containers and container images.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1698752 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:04:08 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1648377, 1698752 | |||
|
Description
Matus Marhefka
2018-09-19 07:12:10 UTC
The original report is a consequence of the following upstream issue: https://github.com/ComplianceAsCode/content/issues/3569 The issue was caused by a structure reorganization in the upstream SSG project. Rules which were marked with the "cpe:/a:machine" lost this CPE during reorganization and became "applicable" when scanning/remediating container images. This causes `atomic scan` to scan/remediate rules which should be "not applicable" to containers which results in errors. Issue is fixed in upstream: https://github.com/ComplianceAsCode/content/pull/3576 We should also consider reviewing added rules and for their machine/container applicability. Current result is inconsistent - some of the rules are not (audit, grub2 and sysctl rules are not marked as machine only). Moving back to assigned. The following patches correct inconsistencies of machine only applicability: https://github.com/ComplianceAsCode/content/pull/4240 https://github.com/ComplianceAsCode/content/pull/4246 The following patches mark as machine only rules which are not applicable to container: https://github.com/ComplianceAsCode/content/pull/4240 https://github.com/ComplianceAsCode/content/pull/4246 Patches from PR's mentioned in this comment are already backported. Following additional modifications are required to fix the issue. All SELinux related rules should be marked as machine only: https://github.com/ComplianceAsCode/content/pull/4280 Subsequent rules also need to be marked as machine only: service_rexec_disabled:notchecked service_rlogin_disabled:notchecked service_abrtd_disabled:pass service_autofs_disabled:pass service_avahi-daemon_disabled:pass service_bluetooth_disabled:pass service_cups_disabled:pass service_dhcpd_disabled:pass service_dovecot_disabled:pass service_httpd_disabled:pass service_kdump_disabled:pass service_named_disabled:pass service_nfs_disabled:pass service_ntpdate_disabled:pass service_oddjobd_disabled:pass service_qpidd_disabled:pass service_rdisc_disabled:pass service_rhnsd_disabled:pass service_rpcbind_disabled:pass service_rsh_disabled:pass service_smb_disabled:pass service_snmpd_disabled:pass service_squid_disabled:pass service_telnet_disabled:pass service_tftp_disabled:pass service_vsftpd_disabled:pass service_ypbind_disabled:pass service_zebra_disabled:pass Both PR's address the remaining issues. https://github.com/ComplianceAsCode/content/pull/4280 https://github.com/ComplianceAsCode/content/pull/4290 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2198 |