-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.2.0
-
openscap-1.3.10-1.el9_4
-
None
-
Moderate
-
sst_security_compliance
-
ssg_security
-
None
-
False
-
-
No
-
None
-
-
Pass
-
None
-
-
Unspecified
-
None
Description of problem:
When blueprint is generated, I see two places for improvement.
First one is mostly just confusing - the comment when blueprint is generated states among other:
``
- This Blueprint is generated from an OpenSCAP profile without preliminary evaluation.
- It attempts to fix every selected rule, even if the system is already compliant.
``
while technically correct,I don't thing there's any point in generating blueprints that is based on evaluation. Not having the comment there might actually be better.
Second one is practical and impactful - Image Builder supports following directive to execute "post install" hardening.
``
[customizations.openscap]
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"
profile_id = "xccdf_org.ssgproject.content_profile_cis"
``
This is NOT part of the generated blueprint, which requires user to actually know about it and add it later. This is a bug in usability.
Version-Release number of selected component (if applicable):
openscap-1.3.7-1.el9.x86_64
How reproducible:
reliable
Steps to Reproduce:
1. oscap xccdf generate fix --fix-type blueprint --profile cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
2. read the output
3.
Actual results:
Comment from the description is present. Directive [customization.openscap] from description is NOT present.
Expected results:
Comment is not there. Directive is there. Ideally in a way that the output is directly usable without alteration in the image builder.
Additional info:
- external trackers
- links to
-
RHBA-2024:130343
openscap bug fix and enhancement update
