-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.4
-
None
-
scap-security-guide-0.1.75-1.el9
-
No
-
Important
-
rhel-sst-security-compliance
-
ssg_security
-
1
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
-
Pass
-
None
-
-
x86_64
-
None
What were you trying to do that didn't work?
Running Openscap report on RHEL 9.4
What is the impact of this issue to you?
The latest security rules are not included that are available in upstream.
Please provide the package NVR for which the bug is seen:
- openscap-scanner version 1.3.10-2
- scap-security-guide version 0.1.74-1
Profile ID: xccdf_org.ssgproject.content_profile_cis
How reproducible is this bug?:
100%
Steps to reproduce
- Install specified version of Openscap and scap-security-guide
- Use suggested profile to create Openscap report
- Command used:
$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --report oscap-2408290644-TRAFICCRHEL9.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Expected results
The report should include all policies present in latest upstream report.
Actual results
The report is missing following Policies:
| Level | ID | Description |
| 1 | 1.6.3 | Ensure system wide crypto policy disables sha1 hash and signature support |
| 1 | 1.6.4 | Ensure system wide crypto policy disables macs less than 128 bits |
| 1 | 1.6.5 | Ensure system wide crypto policy disables cbc for ssh |
| 1 | 1.6.6 | Ensure system wide crypto policy disables chacha20-poly1305 for ssh |
| 1 | 1.6.7 | Ensure system wide crypto policy disables EtM for ssh |
| 1 | 2.3.1 | Ensure time synchronization is in use |
| 1 | 4.3.1 | Ensure nftables base chains exist |
| 1 | 4.3.3 | Ensure nftables default deny firewall policy |
| 1 | 4.3.4 | Ensure nftables loopback traffic is configured |
| 1 | 5.1.4 | Ensure sshd Ciphers are configured |
| 1 | 5.3.1.1 | Ensure latest version of pam is installed |
| 1 | 5.3.1.2 | Ensure latest version of authselect |
| 1 | 5.3.2.1 | Ensure active authselect profile includes pam modules |
| 1 | 5.3.2.3 | Ensure pam_pwquality module is enabled |
| 1 | 5.3.2.4 | Ensure pam_pwhistory module is enabled |
| 1 | 5.3.2.5 | Ensure pam_unix module is enabled |
| 1 | 5.3.3.2.5 | Ensure password maximum sequential characters is configured |
| 1 | 5.3.3.3.2 | Ensure password history is enforced for the root user |
| 1 | 5.3.3.3.3 | Ensure pam_pwhistory includes use_authtok |
| 1 | 5.3.3.4.2 | Ensure pam_unix does not include remember |
| 1 | 5.3.3.4.4 | Ensure pam_unix includes use_authtok |
| 1 | 5.4.2.3 | Ensure group root is the only GID 0 group |
| 1 | 5.4.2.6 | Ensure root user umask is configured |
| 1 | 5.4.2.8 | Ensure accounts without a valid login shell are locked |
| 1 | 6.2.1.4 | Ensure only one logging system is in use |
| 1 | 6.2.2.1.3 | Ensure systemd-journal-upload is enabled and active |
| 1 | 6.2.2.2 | Ensure journald ForwardToSyslog is disabled |
| 1 | 6.2.3.1 | Ensure rsyslog is installed |
| 1 | 6.2.3.2 | Ensure rsyslog service is enabled and active |
| 1 | 6.2.3.3 | Ensure journald is configured to send logs to rsyslog |
| 1 | 6.2.3.4 | Ensure rsyslog log file creation mode is configured |
| 1 | 6.2.3.5 | Ensure rsyslog logging is configured |
| 1 | 6.2.3.6 | Ensure rsyslog is configured to send logs to a remote log host |
| 1 | 6.2.3.7 | Ensure rsyslog is not configured to receive logs from a remote client |
| 1 | 6.2.3.8 | Ensure rsyslog logrotate is configured |
| 1 | 7.2.7 | Ensure no duplicate group names exist |
- links to
-
RHBA-2024:142992
scap-security-guide bug fix and enhancement update
