content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Rule zipl_bootmap_is_up_to_date fails after OSPP hardening

Open jan-cerny opened this issue 2 years ago • 0 comments

Description of problem:

A test that tests OSPP hardening of a VM fails because rule zipl_bootmap_is_up_to_date fails after a reboot.

SCAP Security Guide Version:

current upstream as of 2022-08-06 as of HEAD 61b8f59e05e7a63267e22f3a44ff2b98de822ec0

Operating System Version:

RHEL 9.1, architecture s390x RHEL 8.7, architecture s390x

Steps to Reproduce:

  1. Harden a s390x system to OSPP profile: oscap xccdf eval --progress --remediate --profile xccdf_org.ssgproject.content_profile_ospp --report /ospp_remediate_report.html ssg-rhel9-ds.xml (or ssg-rhel8-ds.xml)
  2. reboot
  3. scan again: oscap xccdf eval --progress --profile xccdf_org.ssgproject.content_profile_ospp --results ospp-xccdf-results.xml --report ospp.html ssg-rhel9-ds.xml

Actual Results:

Before reboot, the rule zipl_bootmap_is_up_to_date passes but after reboot the rule zipl_bootmap_is_up_to_date fails.

Expected Results:

zipl_bootmap_is_up_to_date passes or surviving a reboot is achieved somehow

Additional Information/Debugging Steps:

no

jan-cerny avatar Aug 09 '22 08:08 jan-cerny

This issue is another manifestation of remediate twice for rule to pass, closing.

See https://github.com/OpenSCAP/openscap/issues/1880

yuumasato avatar Aug 23 '22 12:08 yuumasato