Description of problem: STIG compliance profile (id `stig`) is incompatible with the Server with GUI. But GUI installation is a valid use case, and STIG itself does not prevent such installation. For this reason, it makes sense to have separate profile `STIG with GUI`, which will reflect this choice. Version-Release number of selected component (if applicable): scap-security-guide-0.1.54-3.el7_9.noarch How reproducible: reliably Steps to Reproduce: 1. oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml | grep stig 2. 3. Actual results: xccdf_org.ssgproject.content_profile_stig:DISA STIG for Red Hat Enterprise Linux 7 xccdf_org.ssgproject.content_profile_rhelh-stig:[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH) Expected results: Another profile, for GUI installation, is available. Additional info:
Upstream patch is here: https://github.com/ComplianceAsCode/content/pull/6863
Created attachment 1794309 [details] HTML report from scan of a system installed with STIG GUI profile (Server with GUI install)
Verified for scap-security-guide-0.1.54-6.el7_9 Status of STIG GUI (stig_gui) profile v3r3: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rules without Bash and Ansible remediations (remediations are omitted on purpose): grub2_password package_MFEhiplsm_installed install_antivirus set_firewalld_default_zone network_configure_name_resolution Rules with missing Ansible remediations: aide_verify_ext_attributes aide_verify_acls aide_use_fips_hashes aide_scan_notification configure_firewalld_ports postfix_prevent_unrestricted_relay chronyd_or_ntpd_set_maxpoll smartcard_auth Known issues: rpm_verify_hashes - fails because rule require_singleuser_auth modifies /usr/lib/systemd/system/rescue.service sysctl_net_ipv4_ip_forward - bz1825810 dconf_gnome_screensaver_idle_activation_enabled, dconf_gnome_screensaver_idle_delay, dconf_gnome_disable_automount_open - bz1976123 out of memory issue - caused by bz1861300, system might run out of memory in case a scan is performed on RHEL-7.9 GUI installation with minimal system requirements and openscap-1.2.17-11.el7 (manifests through the rpm_verify_hashes rule, openscap subprocess is killed and the rule results in "unknown"), it is recommended to use openscap-1.2.17-13.el7_9 which mitigates this issue HTML report from scan of a system installed with STIG profile is attached as stig_gui.html (Server with GUI install).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2803