2176927 – STIG scan fails on xccdf_org.ssgproject.content_rule_fapolicy_default_deny

Bug 2176927 - STIG scan fails on xccdf_org.ssgproject.content_rule_fapolicy_default_deny [NEEDINFO]

Summary: STIG scan fails on xccdf_org.ssgproject.content_rule_fapolicy_default_deny

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	fapolicyd
Sub Component:
Version:	8.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Radovan Sroka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-09 16:42 UTC by Renaud Métrich
Modified:	2023-08-16 14:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	rsroka: needinfo? (vpolasek)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-151295	None	None	None	2023-03-09 16:43:46 UTC
Red Hat Issue Tracker	SECENGSP-5106	None	None	None	2023-03-16 11:09:50 UTC
Red Hat Knowledge Base (Solution)	7003854	None	None	None	2023-03-22 13:53:30 UTC

Description Renaud Métrich 2023-03-09 16:42:43 UTC

Description of problem:

We have a customer requiring to implement full STIG compliance, including xccdf_org.ssgproject.content_rule_fapolicy_default_deny rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Title   Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
Rule    xccdf_org.ssgproject.content_rule_fapolicy_default_deny
Ident   CCE-86478-5
Result  fail
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

On a system I installed with STIG profile selected at installation time, the rule fails, because there is no "deny perm=any all : all" in what we ship.
It looks like a "final rule" is missing, e.g. /etc/fapolicyd/rules.d/99-deny-everything.rules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
deny perm=any all : all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:

Always

Comment 1 Vojtech Polasek 2023-03-13 08:40:32 UTC

Hello Renaud,
I am not sure what you are asking for. Note that the rule xccdf_org.ssgproject.content_rule_fapolicy_default_deny has no remediation, it performs only the check because we can't know which applications should be permitted.
Do you suggest that the check should be altered? Or that the default shipped file should be altered?

Comment 2 Renaud Métrich 2023-03-13 09:25:56 UTC

Sorry for confusion, I'm asking for a new file /etc/fapolicyd/rules.d/99-deny-everything.rules being shipped, so that the rule doesn't fail by default.

Note You need to log in before you can comment on or make changes to this bug.