False Positive finding with `configure_openssl_tls_crypto_policy` on UBI 9 container

[awilmo8]

Description of problem:

• The check xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy in STIG mode presents a false positive finding if ran on a minimized redhat UBI container that does not have the sudo utility.
• The STIG check runs sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config and expects back the TLS and DTLS protocol versions. If ran on a redhat system without sudo , the command returns bash: sudo: command not found which is returned as a False Positive.
• This can be demonstrated by running the RHEL-9 STIG profile on the Gitlab CNG Base FIPS image

SCAP Security Guide Version:

• Using the packages available in the Ubuntu 24.04 repository

Package: ssg-base
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide
Origin: Ubuntu

Package: ssg-nondebian
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide

Operating System Version:

RHEL 9.5 / UBI 9.5

Steps to Reproduce:

1. Setup OpenSCAP, OpenSCAP-Podman, SSG - relevant bootstrap script
2. Pull the Gitlab CNG Fips container podman pull registry.gitlab.com/gitlab-org/build/cng/gitlab-base:master-fips
3. Run the check - oscap-podman $image xccdf eval --report /tmp/cng-base-stig.html --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
4. Review the result HTML for "Configure OpenSSL library to use TLS Encryption" and see that it fails
5. run the container, exec into it and run the check manually, both with and without sudo -

• podman run --rm -it $image /bin/bash
• grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
• sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

Actual Results:

fail

Expected Results:

pass

Additional Information/Debugging Steps:

[Mab879]

That SSG version is rather old, December 2023. Can you please try using the latest release.