Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1841612

Summary: Missing documentation on supported SSG profiles for each RHEL minor version
Product: Red Hat Enterprise Linux 8 Reporter: Andrew Kofink <akofink>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: ---CC: ggasparb, jafiala, matyc, mgoyal, mhaicman, mthacker, wsato
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-13 08:49:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Kofink 2020-05-29 14:29:11 UTC 
Description of problem:
There does not seem to be any documentation about which SCAP Security Guide profiles are supported on any given RHEL release. This is required as it appears the list of profiles shipped with each minor version may change from release to release.

Version-Release number of selected component (if applicable):
All versions

How reproducible:
Always

Additional info:
In general, it is important for customers to be able to determine if they are using a Red Hat supported and tested configuration (RHEL version, SSG version, SSG profile).
Comment 1 Marek Haicman 2020-06-01 11:07:52 UTC 
As we have established in Bug 1834801, the supported version of SSG for any given minor release of RHEL is the one that is shipped withing this minor release channel.

And the list of profiles is determined by the SSG. You can print out which profiles are shipped with command:

`oscap info --profiles <datastream>`
Comment 2 Marek Haicman 2020-06-01 11:41:53 UTC 
More remarks:
- We cannot assume the number of profiles shipped during GA will not change (there might be addition of another profile after GA, theoretically).
- We do not remove profiles, except when they are obsoleted by something else.
- I would expect users to be also curious about version of the policy the profile covers. Unfortunately it's not recorded in the datastream.
Comment 3 Andrew Kofink 2020-06-01 14:39:06 UTC 
Marek,

During the documentation review for SSG version, perhaps we could mention some of your remarks as well with respect to the supported profiles. The fact that we will not remove profiles seems to be pretty important to customers for (scanning) automation stability during/after OS or SSG upgrades and something that we could commit to in the docs.

What about rules and values? Could those change between OS minor versions? Are rules potentially added but never removed from the benchmark like you've stated for profiles? What about rules in a profile: could a profile's rules change change between OS minor releases or SSG versions?

Thanks for the info,
Andrew
Comment 4 Watson Yuuma Sato 2020-06-02 09:12:09 UTC 
Hi Andrew,

(In reply to Andrew Kofink from comment #3)
> What about rules and values? Could those change between OS minor versions?
Yes, values can be added to allow new customizations.
And rules can change to fix bugs, or follow changes in the technology they are configuring.

> Are rules potentially added but never removed from the benchmark like you've stated for profiles?
Some rules may be superseded by new ones, typically they are kept in the Benchmark, but not selected in the profile.

> What about rules in a profile: could a profile's rules change change between OS minor releases or SSG versions?
Yes, the profiles are developed iteratively, so the rule set improves over time.
New versions of a policy will also be a reason to change the rule set in a profile.
Comment 8 Jan Fiala 2020-11-13 08:49:05 UTC 
I have just published the updated documentation on the Customer Portal


RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index?lb_target=production#scap-security-guide-profiles-supported-in-rhel_scanning-the-system-for-configuration-compliance-and-vulnerabilities]
RHEL7: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#scap-security-guide-profiles-supported-in-rhel-7_scanning-the-system-for-configuration-compliance-and-vulnerabilities]