Bug 2164995 - ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.
Summary: ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: scap-security-guide
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 2192893 2228435 2228436
TreeView+ depends on / blocked
 
Reported: 2023-01-27 09:49 UTC by Shreyas Mahangade
Modified: 2023-08-10 09:16 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
.Align remediations with rule description in rule configure_openssl_cryptopolicy The rule configure_openssl_cryptopolicy has been updated to correctly handle the `=` sign in OpenSSL configuration files. The remediation scripts are now aligned with rule description. The remediation will now insert the following line including the `=` sign: `.include = /etc/crypto-policies/back-ends/opensslcnf.config`
Clone Of:
: 2192893 2228435 2228436 (view as bug list)
Environment:
Last Closed: 2023-08-09 13:12:02 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-146684 0 None None None 2023-01-27 09:53:01 UTC

Description Shreyas Mahangade 2023-01-27 09:49:11 UTC
Description of problem:

The SCAP security guide remediation for add .include for opensslcnf.config to crypto_policy section in RHEL 8 and RHEL 9 adds a line beginning with ".include =". The STIG check expects it to just be ".include" without the = (equals) symbol. Documentation suggests that the use of = here is for backward-compatibility with older versions so that it is harmlessly discarded if not supported. However, we do not want silent disabling of this include, and RHEL 8/9 include the necessary support anyway. Please amend to remove the = (equals) symbol. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Step 1. Install a RHEL 9.1 VM/system.
Step 2. Install the scap-security-guide package.
Step 3. Bring up /usr/share/scap-security-guide/ansible/rhel9-playbook-stig.yml in your favorite editor.
Step 4. Search for a line containing ".include =".

Actual results:

scap adds ".include =" to opensslcnf.config 

Expected results:

scap should add ".inlcude " to opensslcnf.config 

Additional info:

Comment 15 Marcus Burghardt 2023-07-20 13:29:14 UTC
Patch for this rule is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10828

Comment 16 Jan Černý 2023-07-24 09:30:46 UTC
con


Note You need to log in before you can comment on or make changes to this bug.