content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule `ensure_pam_wheel_group_empty` is failing in `anaconda-ostree` and `bootc-image-builder` tests

Open evgenyz opened this issue 7 months ago • 1 comments

Description of problem:

The rule is failing in Image Mode

SCAP Security Guide Version:

95222edc12b4689c6d72115ddc748281427e895e

Operating System Version:

RHEL10, RHEL9

Steps to Reproduce:

  1. Run productization test (e.g. /hardening/container/anaconda-ostree/cis_server_l1/ensure_pam_wheel_group_empty)

Actual Results:

Rule fails

Expected Results:

No failures

Additional Information/Debugging Steps:

results-arf.zip

evgenyz avatar Jun 09 '25 07:06 evgenyz

This issue is similar to https://github.com/ComplianceAsCode/content/issues/13552. The problem is that during the remediation the groupadd command isn't found and isnt' executed by the remediation. This issue is caused by a bug in OpenSCAP and has been reported in OpenSCAP in https://github.com/OpenSCAP/openscap/issues/2242.

jan-cerny avatar Jun 16 '25 08:06 jan-cerny

This issue has been fixed or worked around by https://github.com/ComplianceAsCode/content/pull/13645. As of 2025-07-14, the issue doesn't appear in daily productization. Also, I can't reproduce it locally using autocontest. I used current upstream master as of HEAD https://github.com/ComplianceAsCode/content/commit/f78aeca318c7ddfd3f941cec021b0b744b6cf7b3. In the HTML report the rules passes both on RHEL 9 and 10.

jan-cerny avatar Jul 14 '25 14:07 jan-cerny