Closed
Description
Description of problem:
Using oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml properly identifies unmet rule, but reruning with --remediate does not fix it.
SCAP Security Guide Version:
scap-security-guide-0.1.56-3.el9.noarch from https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=9798
Operating System Version:
Red Hat Enterprise Linux release 9.0 Beta (Plow)
Steps to Reproduce:
update-crypto-policies --showoscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmloscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmlupdate-crypto-policies --show
Actual Results:
# update-crypto-policies --show
DEFAULT
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-83450-7
Result fail
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-83450-7
Result fail
--- Starting Remediation ---
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-83450-7
Result fail
# update-crypto-policies --show
DEFAULT
Expected Results:
# update-crypto-policies --show
DEFAULT
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-83450-7
Result fail
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-80935-0
Result fail
--- Starting Remediation ---
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title Configure System Cryptography Policy
Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident CCE-80935-0
Result fixed
# update-crypto-policies --show
FIPS:OSPP
Additional Information/Debugging Steps:
This is a regression against RHEL 8 (scap-security-guide-0.1.54-5.el8.noarch) where command
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
detects xccdf_org.ssgproject.content_rule_configure_crypto_policy failed and
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_configure_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
fixes it.