-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10
-
No
-
Low
-
Customer Reported
-
rhel-security-compliance
-
1
-
False
-
False
-
-
No
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Using OpenSCAP with the CIS Server Level 1 profile (xccdf_org.ssgproject.content_profile_cis_server_l1) to scan RHEL 8 the following CIS rule from the official CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0 appears to be missing from the latest SCAP Security Guide content provided by the scap-security-guide package:
4.4.3.3.2 Ensure password history is enforced for the root user
This rule is part of the CIS Level 1 benchmark but does not appear in /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml, and there is no corresponding result in the OSCAP compliance report when scanning with the xccdf_org.ssgproject.content_profile_cis_server_l1 profile.
Please provide the package NVR for which the bug is seen:
latest version of scap-security-guide on RHEL 8.10
How reproducible is this bug?:
Always
Steps to reproduce
- Install the latest scap-security-guide on RHEL 8:
- Verify it's content.
- Run a scan against CIS Level 1
- Review the generated report — there is no entry corresponding to CIS rule 4.4.3.3.2.
Expected results
The SCAP content should include a rule that validates password history enforcement for the root user as per CIS Benchmark 4.4.3.3.2.
