Bug 2219533 - systemdunitproperty probe ignores some systemd units
Summary: systemdunitproperty probe ignores some systemd units
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openscap
Version: 8.9
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Milan Lysonek
URL:
Whiteboard:
Depends On: 2219532 2223981 2223983
Blocks: 2223547 2223548
TreeView+ depends on / blocked
 
Reported: 2023-07-04 07:46 UTC by Jan Černý
Modified: 2023-08-04 14:56 UTC (History)
5 users (show)

Fixed In Version: openscap-1.3.8-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of: 2219532
: 2223547 2223548 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161473 0 None None None 2023-07-04 07:50:47 UTC

Description Jan Černý 2023-07-04 07:46:46 UTC 
+++ This bug was initially created as a clone of Bug #2219532 +++

Description of problem:
The systemdunitproperty probe fails to read information about some systemd units. A common example where this behavior exhibits is the nftables.service unit, which leads to a false positive result for the rule service_nftables_disabled.

For more context, please read https://github.com/ComplianceAsCode/content/issues/10424.

Version-Release number of selected component (if applicable):
openscap-1.3.7-1.el8

How reproducible:
deterministically

Steps to Reproduce:
1. Run "/CoreOS/scap-security-guide/Sanity/machine-hardening CIS Server Level 2"
2. See the output of the final scan (after reboot)


Actual results:
service_nftables_disabled fails after reboot

Expected results:
service_nftables_disabled passes after reboot

Additional info:
Fixed in upstream by https://github.com/OpenSCAP/openscap/pull/1980.
Note You need to log in before you can comment on or make changes to this bug.