-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.7.0
-
None
-
Moderate
-
rhel-sst-security-compliance
-
ssg_security
-
26
-
1
-
False
-
-
No
-
None
-
-
Pass
-
None
-
-
All
-
None
Description of problem:
We have a customer requiring to implement full STIG compliance, including xccdf_org.ssgproject.content_rule_fapolicy_default_deny rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Title Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
Rule xccdf_org.ssgproject.content_rule_fapolicy_default_deny
Ident CCE-86478-5
Result fail
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
On a system I installed with STIG profile selected at installation time, the rule fails, because there is no "deny perm=any all : all" in what we ship.
It looks like a "final rule" is missing, e.g. /etc/fapolicyd/rules.d/99-deny-everything.rules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
deny perm=any all : all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-2.el8_7.noarch
How reproducible:
Always
- external trackers
- links to
-
RHBA-2024:128049 scap-security-guide bug fix and enhancement update
- mentioned on