content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Test scenario `missing_blacklist.fail.sh` fails for kernel_module_dccp_disabled

Open yuumasato opened this issue 3 years ago • 1 comments

Description of problem:

On RHEL-7, the test scenario missing_blacklist.fail.sh results in pass where fail was expected. On RHEL-9, the test scenario also fails for rule kernel_module_can_disabled.

SCAP Security Guide Version:

stabilization-v0.1.63

Operating System Version:

RHEL-7 (and RHEL-9)

Steps to Reproduce:

  1. python3 tests/test_suite.py rule --libvirt qemu:///session rhel79 --datastream build/ssg-rhel7-ds.xml --dontclean kernel_module_dccp_disabled
ERROR - Script missing_blacklist.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled'.
INFO - Script comment.fail.sh using profile (all) OK
  1. python3 tests/test_suite.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --scenarios missing_blacklist.fail.sh kernel_module_can_disabled
ERROR - Script missing_blacklist.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled'.

Actual Results:

The test scenario missing_blacklist.fail.sh results in pass where fail was expected.

Expected Results:

Additional Information/Debugging Steps:

On RHEL-8 and RHEL9 , the test scenario works for a rule like kernel_module_usb-storage_disabled. The test scenarios fail for both, Bash and Ansible.

yuumasato avatar Jul 20 '22 11:07 yuumasato

This also happens in OSPP profile on RHEL 9.1.

jan-cerny avatar Aug 09 '22 11:08 jan-cerny

The fix for RHEL 9 is just to remove the rule.

Mab879 avatar Aug 18 '22 12:08 Mab879

Rule kernel_module_bluetooth_disabled also fails with the missing_blacklist.fail.sh test scenario on RHEL9 with the scap-security-guide-0.1.63-4.el9.noarch package:

INFO - xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
ERROR - Script missing_blacklist.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'.

matusmarhefka avatar Aug 26 '22 15:08 matusmarhefka

This problem still persists in productization run on RHEL 9.1 on current upstream as of 2022-08-29 as of HEAD https://github.com/ComplianceAsCode/content/commit/2bcaad252bfc53f65ee54b51f994338fe6359055.

jan-cerny avatar Aug 31 '22 13:08 jan-cerny

This issue is manifesting in the stabilization branch. @Mab879 I think the fix should be added into the release, since there were changes to remediation and OVAL.

yuumasato avatar Sep 28 '22 11:09 yuumasato