-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.3.0
-
None
-
None
-
sst_security_compliance
-
ssg_security
-
None
-
False
-
-
No
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
The Ansible Playbook generated from the shipped profile and Ansible Playbook generated
from customized profile differ in more values than were actually customized.
Version-Release number of selected component (if applicable):
scap-workbench-1.2.1-13.el9.x86_64
openscap-1.3.8-1.el9.x86_64
scap-security-guide-0.1.66-1.el9_1.noarch
How reproducible:
deterministically
Steps to reproduce:
1. Run scap-workbench from the terminal.
2. On the "Open SCAP Security Guide" screen, select RHEL 9 and click on Load Content.
3. Choose "CIS RHEL 9 Benchmark for Level 2 - Server" profile in the Profile dropdown.
4. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis.yml".
5. Click on Customize, choose custom profile ID, change the value of var_accounts_tmout value and confirm "OK".
6. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis_customized.yml".
7. Run a diff of the 2 playbooks in the terminal: diff -u cis.yml cis_customized.yml
Actual results:
A lot of values differ in the generated Playbook. But only a single value was changed in the Customization Window.
8<--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
[test@kvm-06-guest39 ~]$ diff -u cis.yml cis_customized.yml
— cis.yml 2023-07-31 10:36:00.955711462 -0400
+++ cis_customized.yml 2023-07-31 10:36:41.509035586 -0400
@@ -1,7 +1,7 @@
—
###############################################################################
#
-
- Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
+# Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server [CUSTOMIZED]
#
- Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
- Profile Description:
- This profile defines a baseline that aligns to the "Level 2 - Server"
@@ -10,13 +10,13 @@ - This profile includes Center for Internet Security®
- Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
#- Profile ID: xccdf_org.ssgproject.content_profile_cis
+# Profile ID: xccdf_org.ssgproject.content_profile_cis_customized
- Profile ID: xccdf_org.ssgproject.content_profile_cis
- Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9
- Benchmark Version: 0.1.66
- XCCDF Version: 1.2
# - This file was generated by OpenSCAP 1.3.8 using:
- $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis --fix-type ansible xccdf-file.xml
+# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_customized --fix-type ansible xccdf-file.xml
#
- $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis --fix-type ansible xccdf-file.xml
- This Ansible Playbook is generated from an OpenSCAP profile without preliminary evaluation.
- It attempts to fix every selected rule, even if the system is already compliant.
@@ -33,28 +33,28 @@
vars:
var_system_crypto_policy: !!str DEFAULT
inactivity_timeout_value: !!str 900
- var_screensaver_lock_delay: !!str 5
+ var_screensaver_lock_delay: !!str 0
var_sudo_logfile: !!str /var/log/sudo.log
var_sudo_timestamp_timeout: !!str 5 - var_authselect_profile: !!str sssd
- login_banner_text: !Unable to render embedded object: File ((Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.) not found..(
|fedora|rhel|sle|ubuntu)).)$
+ var_authselect_profile: !!str minimal
+ login_banner_text: !!str ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
var_password_pam_remember: !!str 5 - var_password_pam_remember_control_flag: !!str requisite,required
+ var_password_pam_remember_control_flag: !!str requisite
var_accounts_passwords_pam_faillock_deny: !!str 3 - var_accounts_passwords_pam_faillock_unlock_time: !!str 900
- var_password_pam_minclass: !!str 4
- var_password_pam_minlen: !!str 14
+ var_accounts_passwords_pam_faillock_unlock_time: !!str 0
+ var_password_pam_minclass: !!str 3
+ var_password_pam_minlen: !!str 15
var_password_pam_retry: !!str 3 - var_account_disable_post_pw_expiration: !!str 30
- var_accounts_maximum_age_login_defs: !!str 365
- var_accounts_minimum_age_login_defs: !!str 1
+ var_account_disable_post_pw_expiration: !!str 35
+ var_accounts_maximum_age_login_defs: !!str 60
+ var_accounts_minimum_age_login_defs: !!str 7
var_accounts_password_warn_age_login_defs: !!str 7 - var_accounts_tmout: !!str 900
+ var_accounts_tmout: !!str 1800
var_accounts_user_umask: !!str 027
var_auditd_action_mail_acct: !!str root - var_auditd_admin_space_left_action: !!str halt
+ var_auditd_admin_space_left_action: !!str single
var_auditd_max_log_file: !!str 6 - var_auditd_max_log_file_action: !!str keep_logs
+ var_auditd_max_log_file_action: !!str rotate
var_auditd_space_left_action: !!str email
sysctl_net_ipv6_conf_all_accept_ra_value: !!str 0
sysctl_net_ipv6_conf_all_accept_redirects_value: !!str 0
@@ -79,13 +79,13 @@
var_selinux_policy_name: !!str targeted
var_selinux_state: !!str enforcing
var_postfix_inet_interfaces: !!str loopback-only - var_multiple_time_servers: !!str 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
+ var_multiple_time_servers: !!str 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
var_sshd_set_keepalive: !!str 0 - sshd_idle_timeout_value: !!str 900
+ sshd_idle_timeout_value: !!str 300
var_sshd_set_login_grace_time: !!str 60
sshd_max_auth_tries_value: !!str 4
var_sshd_max_sessions: !!str 10 - var_sshd_set_maxstartups: !!str 10:30:60
+ var_sshd_set_maxstartups: !!str 10:30:100
tasks: - name: Ensure aide is installed
package:
8<--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
Expected results:
The Playbooks will differ only in the variable value that has been changed in the Customization UI and other values stay the same.
Additional info:
This bug is also reproducible on Fedora 38 with these RPM versions:
scap-workbench-1.2.1-12.fc37.x86_64
openscap-1.3.8-1.fc38.x86_64
scap-security-guide-0.1.68-1.fc38.noarch
- external trackers