2164995 – ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.

Bug 2164995 - ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.

Summary: ".include =" in rhel9-playbook-stig.yml causing STIG to flag it.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2192893 2228435 2228436
TreeView+	depends on / blocked

Reported:	2023-01-27 09:49 UTC by Shreyas Mahangade
Modified:	2023-08-10 09:16 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	.Align remediations with rule description in rule configure_openssl_cryptopolicy The rule configure_openssl_cryptopolicy has been updated to correctly handle the `=` sign in OpenSSL configuration files. The remediation scripts are now aligned with rule description. The remediation will now insert the following line including the `=` sign: `.include = /etc/crypto-policies/back-ends/opensslcnf.config`
Clone Of:
Clones:	2192893 2228435 2228436 (view as bug list)
Environment:
Last Closed:	2023-08-09 13:12:02 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-146684	0	None	None	None	2023-01-27 09:53:01 UTC

Description Shreyas Mahangade 2023-01-27 09:49:11 UTC

Description of problem:

The SCAP security guide remediation for add .include for opensslcnf.config to crypto_policy section in RHEL 8 and RHEL 9 adds a line beginning with ".include =". The STIG check expects it to just be ".include" without the = (equals) symbol. Documentation suggests that the use of = here is for backward-compatibility with older versions so that it is harmlessly discarded if not supported. However, we do not want silent disabling of this include, and RHEL 8/9 include the necessary support anyway. Please amend to remove the = (equals) symbol. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Step 1. Install a RHEL 9.1 VM/system.
Step 2. Install the scap-security-guide package.
Step 3. Bring up /usr/share/scap-security-guide/ansible/rhel9-playbook-stig.yml in your favorite editor.
Step 4. Search for a line containing ".include =".

Actual results:

scap adds ".include =" to opensslcnf.config 

Expected results:

scap should add ".inlcude " to opensslcnf.config 

Additional info:

Comment 15 Marcus Burghardt 2023-07-20 13:29:14 UTC

Patch for this rule is merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10828

Comment 16 Jan Černý 2023-07-24 09:30:46 UTC

con

Note You need to log in before you can comment on or make changes to this bug.