You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rule firewalld_sshd_port_enabled fails after kickstart installation of RHEL 9.4 with STIG profile and various other profiles.
First problem is that the rule doesn't have a kickstart remediation. This can be easily fixed by creating the kickstart remediation with the following file contents:
However, adding the kickstart remediation won't make the rule passing. I have experimentally verified that it won't.
The core problem is that the rule checks that all network interfaces have a zone set to public. The Bash remediation should set that. But, during the installation, the environment is probably different or the Bash remediation isn't executed because it checks if the services are run.
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
...
if systemctl is-active NetworkManager && systemctl is-active firewalld; then
SCAP Security Guide Version:
current upstream master branch as of 2024-08-07 as of HEAD 42c8206
use the generated kickstart for operating system installation of RHEL 9.4
on the installed machine run oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml.
Actual Results:
firewalld_sshd_port_enabled: fail
Expected Results:
firewalld_sshd_port_enabled: pass
Additional Information/Debugging Steps:
The remediation report contains this output of the remediation:
Running in chroot, ignoring command 'is-active'
Running in chroot, ignoring command 'is-active'
FirewallD is not running
Running in chroot, ignoring command 'restart'
FirewallD is not running
FirewallD is not running
The text was updated successfully, but these errors were encountered:
Description of problem:
Rule firewalld_sshd_port_enabled fails after kickstart installation of RHEL 9.4 with STIG profile and various other profiles.
First problem is that the rule doesn't have a kickstart remediation. This can be easily fixed by creating the kickstart remediation with the following file contents:
However, adding the kickstart remediation won't make the rule passing. I have experimentally verified that it won't.
The core problem is that the rule checks that all network interfaces have a zone set to public. The Bash remediation should set that. But, during the installation, the environment is probably different or the Bash remediation isn't executed because it checks if the services are run.
SCAP Security Guide Version:
current upstream master branch as of 2024-08-07 as of HEAD 42c8206
Operating System Version:
RHEL 9.4
Steps to Reproduce:
oscap xccdf generate fix --fix-type kickstart
(using openscap-1.4.0)oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml
.Actual Results:
firewalld_sshd_port_enabled: fail
Expected Results:
firewalld_sshd_port_enabled: pass
Additional Information/Debugging Steps:
The remediation report contains this output of the remediation:
The text was updated successfully, but these errors were encountered: