Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1817

STIG scan fails on xccdf_org.ssgproject.content_rule_fapolicy_default_deny

XMLWordPrintable

    • None
    • Moderate
    • sst_security_compliance
    • ssg_security
    • 26
    • 1
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None

      Description of problem:

      We have a customer requiring to implement full STIG compliance, including xccdf_org.ssgproject.content_rule_fapolicy_default_deny rule:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      Title Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
      Rule xccdf_org.ssgproject.content_rule_fapolicy_default_deny
      Ident CCE-86478-5
      Result fail
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      On a system I installed with STIG profile selected at installation time, the rule fails, because there is no "deny perm=any all : all" in what we ship.
      It looks like a "final rule" is missing, e.g. /etc/fapolicyd/rules.d/99-deny-everything.rules:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      deny perm=any all : all
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Version-Release number of selected component (if applicable):

      scap-security-guide-0.1.66-2.el8_7.noarch

      How reproducible:

      Always

            maburgha@redhat.com Marcus Burghardt
            rhn-support-rmetrich Renaud Métrich
            Marcus Burghardt Marcus Burghardt
            Milan Lysonek Milan Lysonek
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: