RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1726698 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream version
Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Matus Marhefka
RaTasha Tillery-Smith
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-03 13:20 UTC by Watson Yuuma Sato
Modified: 2020-11-14 05:33 UTC (History)
10 users (show)

Fixed In Version: scap-security-guide-0.1.46-9.el7
Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` rebased to version 0.1.46 The `SCAP Security Guide` (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably: * SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default. Note that you can still use content suffixed with `-1.2` if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
Clone Of:
Environment:
Last Closed: 2020-03-31 19:38:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1019 0 None None None 2020-03-31 19:38:35 UTC

Description Watson Yuuma Sato 2019-07-03 13:20:57 UTC 
The version currently in RHEL7 is 0.1.43.

Upstream version 0.1.44 is already released (on May 3rd 2019), changes from 0.1.43 to 0.1.44 can be checked here: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44

Next upstream release version 0.1.45 is to happen soon, in July 2019.
Comment 8 Jan Černý 2019-11-13 11:37:01 UTC 
The Ansible Playbook for STIG profile errors in scap-security-guide-0.1.46-5.el7.noarch and it terminates before finishing.

1. # oscap xccdf generate fix --fix-type ansible --profile stig --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml

In --check mode, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---
                                                                                            
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name
: Disable service kdump\n      ^ here\n"}                                                                                                                                                                          
                                     
8<---8<---8<---8<---8<---8<---8<---8<---

In real run, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---

TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************                                                                                                          
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}          

8<---8<---8<---8<---8<---8<---8<---8<---

This problem has been discovered during verification of https://bugzilla.redhat.com/show_bug.cgi?id=1747188
Comment 9 Jan Černý 2019-11-13 12:04:07 UTC 
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18
Comment 12 Milan Lysonek 2019-11-13 12:23:58 UTC 
The issue with failing nfs ansible remediation mentioned in Comment 8 has been already fixed in upstream - https://github.com/ComplianceAsCode/content/pull/4784
Comment 13 Gabriel Gaspar Becker 2019-11-13 12:35:42 UTC 
The omission of removing directory_access_var_log_audit rule in favor of audit_rules_for_ospp should be backported and the fix already exists upstream: https://github.com/ComplianceAsCode/content/pull/4957
Comment 14 Jan Černý 2019-11-13 13:14:28 UTC 
I have checked the Ansible Playbook generated using the 'stig' profile from ssg-rhel7-ds.xml provided by scap-security-guide-0.1.46-5.el7.noarch.
I have continuously removed all the failing tasks from the playbook to allow the playbook to finish.

In the real run (without --check) the offending rules were: mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems.
These are templated rules, which means the Ansible template mount_option_remote_filesystems needs to be fixed.

In the check mode (with --check), there are more errors than in the real run, specifically:
- service_autofs_disabled and service_kdump_disabled - they are templated, we need to fix Ansible template service_disabled
- mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems - is templated, we need to fix Ansible template mount_option_remote_filesystems
- mount_option_krb_sec_remote_filesystem
- grub2_enable_fips_mode
Comment 15 Gabriel Gaspar Becker 2019-11-15 14:12:28 UTC 
There is a fix upstream for ansible playbook generated using 'stig' profile.

https://github.com/ComplianceAsCode/content/pull/5004
Comment 16 Gabriel Gaspar Becker 2019-11-18 14:03:51 UTC 
Two patches which fix missing CCE identifiers need to be backported:
https://github.com/ComplianceAsCode/content/pull/4866
https://github.com/ComplianceAsCode/content/pull/4956
Comment 29 errata-xmlrpc 2020-03-31 19:38:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019
Note You need to log in before you can comment on or make changes to this bug.