2129100 – After provisioning with ospp profile remediation, enable_fips_mode fails on s390x

Bug 2129100 - After provisioning with ospp profile remediation, enable_fips_mode fails on s390x

Summary: After provisioning with ospp profile remediation, enable_fips_mode fails on s...

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2185882 (view as bug list)
Depends On:
Blocks:	1940119
TreeView+	depends on / blocked

Reported:	2022-09-22 14:00 UTC by Jan Pazdziora
Modified:	2023-08-14 13:13 UTC (History)
CC List:	11 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Bug Fix
Doc Text:	.Fixed rule enable_fips_mode on s390x architecture The OVAL check in rule `enable_fips_mode` has been fixed to work correctly on the s390x architecture. The check will not check the contents of `/boot/grub2/grubenv` file which isn't relevant on the 390x architecture because on this architecture the GRUB bootloader isn't used. On the s390x architecture, only a test if argument `fips=1` for Linux kernel is present in `/boot/loader/entries/.*.conf` files is checked.
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-134708	0	None	None	None	2022-09-22 14:04:31 UTC

Description Jan Pazdziora 2022-09-22 14:00:32 UTC

Description of problem:

When provisioning system with org_fedora_oscap addon and ospp profile, and then checking with oscap xccdf eval, the enable_fips_mode rule fails but only on s390x.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.63-1.el8_6.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Boot the latest RHEL 8.6 compose with fips=1 parameter.
2. yum install -y /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3. oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  error

Expected results:

# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_enable_fips_mode --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail


--- Starting Remediation ---

WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fixed

Additional info:

The expected result is from latest RHEL 8.6 x86_64, and also from RHEL 8.6 GA s390x with scap-security-guide-0.1.60-7.el8.

On that latest RHEL 8.6 s390x where the remediation resulted in Error, when scap-security-guide gets downgraded to that previous scap-security-guide-0.1.60-7.el8, oscap xccdf eval suddently passes.

Comment 2 Jan Pazdziora 2022-09-22 16:16:10 UTC

I believe the problem comes from oval:ssg-test_grubenv_fips_mode:tst:1 which should not be present for non-grub environments like s390x.

Comment 4 Vojtech Polasek 2023-06-21 09:31:59 UTC

*** Bug 2185882 has been marked as a duplicate of this bug. ***

Comment 5 Marcus Burghardt 2023-07-25 10:28:28 UTC

Fix is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10897

Note You need to log in before you can comment on or make changes to this bug.