Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule postfix_prevent_unrestricted_relay fails on STIG profile #9250

Closed
yuumasato opened this issue Jul 28, 2022 · 3 comments
Closed

Rule postfix_prevent_unrestricted_relay fails on STIG profile #9250

yuumasato opened this issue Jul 28, 2022 · 3 comments
Assignees
@matusmarhefka
Labels
productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related.

Comments

@yuumasato
Copy link
Member

yuumasato commented Jul 28, 2022
edited
Loading

Description of problem:

During first remediation of STIG profile, rule postfix_prevent_unrestricted_relay is not applicable because postfix is not installed.
During remediation package postfix is installed and the rule starts to fail.

SCAP Security Guide Version:

5caa381

Operating System Version:

RHEL-8

Steps to Reproduce:

  1. Remediate with STIG profile
  2. Verify that rule postfix_prevent_unrestricted_relay is not applicable
  3. Scan with the STIG profile
  4. Verify that rule postfix_prevent_unrestricted_relay fails

Actual Results:

Rule is notapplicable during remediation but results in fail on subsequent scans

Expected Results:

The rule should evaluate to pass.

Additional Information/Debugging Steps:

This is another case of two remediation runs required.
@yuumasato yuumasato added the productization-issue Issue found in upstream stabilization process. label Jul 28, 2022
@jan-cerny jan-cerny added RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. labels Aug 9, 2022
@jan-cerny
Copy link
Collaborator

The same problem also appears on RHEL 9.1 with STIG profile:

python3 /tmp/tmp.MYh8tUzM1Q/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel9-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml --mode online --remediate-using oscap xccdf_org.ssgproject.content_profile_stig

@mildas
Copy link
Contributor

mildas commented Aug 11, 2022

There is no easy fix - must be fixed on scanner side.

@mildas mildas added the blocked Issue that can't be fixed in content. label Aug 11, 2022
@matusmarhefka matusmarhefka mentioned this issue Aug 16, 2022
Open
@matusmarhefka matusmarhefka removed the blocked Issue that can't be fixed in content. label Aug 16, 2022
@matusmarhefka
Copy link
Member

Closing, reported an issue in openscap - OpenSCAP/openscap#1880

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matusmarhefka matusmarhefka

Labels
productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@matusmarhefka @yuumasato @jan-cerny @mildas