-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.0
-
No
-
Moderate
-
rhel-security-compliance
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Description of problem:
The oscap xccdf eval CLI command currently outputs only the rule IDs and their results (PASS/FAIL), which are difficult to interpret without referring to the HTML or ARF reports. There is no CLI option to display rule descriptions/Rationale inline.
This makes it harder to:
Understand the meaning of failed rules
Use oscap effectively in headless/CI environments
Perform quick remediation without post-processing ARF/HTML
Steps:
Run:
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
--- Starting Evaluation ---
Title Configure the root Account for Failed Password Attempts
Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Ident CCE-87975-9
Result fail
We can manually parse the XML to get context.
PROFILE_ID="xccdf_org.ssgproject.content_profile_cis" XML="/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml" for RULE_ID in xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root; do TITLE=$(xmllint --xpath "string(//*[local-name()='Rule' and @id='$RULE_ID']/*[local-name()='title'])" "$XML" 2>/dev/null) DESCRIPTION=$(xmllint --xpath "string(//*[local-name()='Rule' and @id='$RULE_ID']/*[local-name()='description'])" "$XML" 2>/dev/null) RATIONALE=$(xmllint --xpath "string(//*[local-name()='Rule' and @id='$RULE_ID']/*[local-name()='rationale'])" "$XML" 2>/dev/null) echo "Rule ID : $RULE_ID" echo "Title : $TITLE" echo "Description : $DESCRIPTION" echo "Rationale : $RATIONALE" echo "-------------------------------------------" done Rule ID : xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root Title : Configure the root Account for Failed Password Attempts Description : This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so.pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. Rationale : By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. -------------------------------------------
Expected results:
A flag like --show-description or --verbose-rules should output rule descriptions / Rationale alongside the results, e.g.:
Title Configure the root Account for Failed Password Attempts
Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Ident CCE-87975-9
Result fail
Description: This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account.
Actual results:
Only rule IDs are shown; users must open full HTML/ARF reports or manually parse the XML to get context.
Additional info:
This enhancement would help system administrators, compliance engineers, and automated pipelines to make immediate sense of scan output.
If feasible, including the "--list-rules" option to list all rules for a particular profile would also be beneficial.
