Description of problem: When remediating a RHEL7 box with CIS Profile, rule rpm_verify_permissions always results in fail. Version-Release number of selected component (if applicable): scap-security-guide-0.1.49-11.el7 How reproducible: Always Steps to Reproduce: 1. oscap xccdf eval --remediate --profile cis --report cis_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2. Open the report and check details of rule with id xccdf_org.ssgproject.content_rule_rpm_verify_permissions Actual results: Scan of rule rpm_verify_permissions results in fail, with following findings: /etc/cron.hourly /etc/crontab /etc/cron.monthly /etc/cron.weekly /etc/cron.daily /etc/cron.d Expected results: Scan of rule rpm_verify_permissions results in pass. Additional info: CIS Profile contains rules that require that permissions of the files mentioned above be set to more restrictive permissions, but rule rpm_verify_permissions compares the file permissions against package default permissions.
Closing this BZ. This expectation in CIS profile is not compatible with how RPM verification works, and implementation would be prohibitively expansive. For further details please read the Doc text.