content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule enable_gpgcheck_for_all_repositories fails on RHEL8 (Anaconda installation)

Open ggbecker opened this issue 10 months ago • 2 comments

Description of problem:

Failing tests: /hardening/anaconda/with-gui/stig_gui/enable_gpgcheck_for_all_repositories /hardening/anaconda/stig/enable_gpgcheck_for_all_repositories

SCAP Security Guide Version:

5049fed40d7ce809830b4fe9ceea76c7f59a4d35

Operating System Version:

RHEL8

Actual Results:

Rule failing after system installation

Expected Results:

Rule pass after system installation

Additional Information/Debugging Steps:

I believe this is caused by the testing environment (internal one) setting up repositories after the system gets remediated through the Anaconda remediation phase.

If that is really the case then this issue should be simply waived by the testing code.

ggbecker avatar Mar 13 '25 13:03 ggbecker

This is probably not test environment.

It happened in a nested VM (is not host-os), and that's governed currently by https://github.com/RHSecurityCompliance/contest/blob/5f8ddf031e2ac42c0c67e9f2ee3b53fe9c7b7488/lib/virt.py#L317-L321 , which basically copies all DNF repo key=values from the host.

And we always modify a Beaker system (VM host here) to have gpgcheck=1.
(Plus we haven't touched this code in many months.)

So either something broke in Beaker (fairly unlikely), or this is a content regression.

comps avatar Mar 13 '25 14:03 comps

There is a related new https://github.com/ComplianceAsCode/content/pull/13156 , so it may be test env related if the rule does some more extensive checking than gpgcheck=1 for /etc/yum.repos.d/*.

comps avatar Mar 13 '25 14:03 comps