Bug 1726698 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream version
Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.8 to latest upstream...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Matus Marhefka
RaTasha Tillery-Smith
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-03 13:20 UTC by Watson Yuuma Sato
Modified: 2020-03-31 19:38 UTC (History)
10 users (show)

Fixed In Version: scap-security-guide-0.1.46-9.el7
Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` rebased to version 0.1.46 The `SCAP Security Guide` (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably: * SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default. Note that you can still use content suffixed with `-1.2` if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
Clone Of:
Environment:
Last Closed: 2020-03-31 19:38:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1019 None None None 2020-03-31 19:38:35 UTC

Description Watson Yuuma Sato 2019-07-03 13:20:57 UTC
The version currently in RHEL7 is 0.1.43.

Upstream version 0.1.44 is already released (on May 3rd 2019), changes from 0.1.43 to 0.1.44 can be checked here: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44

Next upstream release version 0.1.45 is to happen soon, in July 2019.

Comment 8 Jan Černý 2019-11-13 11:37:01 UTC
The Ansible Playbook for STIG profile errors in scap-security-guide-0.1.46-5.el7.noarch and it terminates before finishing.

1. # oscap xccdf generate fix --fix-type ansible --profile stig --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml

In --check mode, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---
                                                                                            
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name
: Disable service kdump\n      ^ here\n"}                                                                                                                                                                          
                                     
8<---8<---8<---8<---8<---8<---8<---8<---

In real run, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---

TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************                                                                                                          
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}          

8<---8<---8<---8<---8<---8<---8<---8<---

This problem has been discovered during verification of https://bugzilla.redhat.com/show_bug.cgi?id=1747188

Comment 9 Jan Černý 2019-11-13 12:04:07 UTC
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18

Comment 12 Milan Lysonek 2019-11-13 12:23:58 UTC
The issue with failing nfs ansible remediation mentioned in Comment 8 has been already fixed in upstream - https://github.com/ComplianceAsCode/content/pull/4784

Comment 13 Gabriel Gaspar Becker 2019-11-13 12:35:42 UTC
The omission of removing directory_access_var_log_audit rule in favor of audit_rules_for_ospp should be backported and the fix already exists upstream: https://github.com/ComplianceAsCode/content/pull/4957

Comment 14 Jan Černý 2019-11-13 13:14:28 UTC
I have checked the Ansible Playbook generated using the 'stig' profile from ssg-rhel7-ds.xml provided by scap-security-guide-0.1.46-5.el7.noarch.
I have continuously removed all the failing tasks from the playbook to allow the playbook to finish.

In the real run (without --check) the offending rules were: mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems.
These are templated rules, which means the Ansible template mount_option_remote_filesystems needs to be fixed.

In the check mode (with --check), there are more errors than in the real run, specifically:
- service_autofs_disabled and service_kdump_disabled - they are templated, we need to fix Ansible template service_disabled
- mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems - is templated, we need to fix Ansible template mount_option_remote_filesystems
- mount_option_krb_sec_remote_filesystem
- grub2_enable_fips_mode

Comment 15 Gabriel Gaspar Becker 2019-11-15 14:12:28 UTC
There is a fix upstream for ansible playbook generated using 'stig' profile.

https://github.com/ComplianceAsCode/content/pull/5004

Comment 16 Gabriel Gaspar Becker 2019-11-18 14:03:51 UTC
Two patches which fix missing CCE identifiers need to be backported:
https://github.com/ComplianceAsCode/content/pull/4866
https://github.com/ComplianceAsCode/content/pull/4956

Comment 29 errata-xmlrpc 2020-03-31 19:38:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019


Note You need to log in before you can comment on or make changes to this bug.