Description of problem: After openscap security scan with the following profile: "Standard System Security Profile for Red Hat Enterprise Linux 7" "xccdf_org.ssgproject.content_profile_standard" Rule Id: "xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" - Even if the ntpdate.service is disabled, the result is fail ------------------------------------------------------------ Disable ntpdate Service (ntpdate) low fail ------------------------------------------------------------ - With the Description : ------------------------------------------------------------------------------- The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command: $ sudo systemctl disable ntpdate.service The ntpdate service can be masked with the following command: $ sudo systemctl mask ntpdate.service ------------------------------------------------------------------------------- - But the text is not clear whether both disable and mask commands should be executed or not. Version-Release number of selected component (if applicable): scap-security-guide-0.1.49-13.el7.noarch How reproducible: Steps to Reproduce: 1. install "scap-security-guide-0.1.49-13.el7.noarch". 2. Ensure the ntpdate.service is disabled. 3. Scan the system using standard profile "xccdf_org.ssgproject.content_profile_standard" Actual results: Rule Id: "xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" ------------------------------------------------------------ Disable ntpdate Service (ntpdate) low fail ------------------------------------------------------------ The description is not clear. Expected results: The description should have a clear text about what should be done on the system.
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/6298
Another patch is required to completely fix this issue: https://github.com/ComplianceAsCode/content/pull/6346
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1383