content

content copied to clipboard

xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy (CCE-85902-5) fails due to excess whitespace

2

#### Share the context After installing RHEL 8.10 using kickstart with following configuration: ``` %addon org_fedora_oscap content-type = datastream content-url = $MY_URL/ssg-rhel8-ds-1.2_0.1.73.xml datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf.xml xccdf-id = scap_org.open-scap_cref_ssg-rhel8-xccdf.xml profile =...

red-avalanche

Inconsistency in RHEL-09-255065 (harden_sshd_ciphers_opensshserver_conf_crypto_policy)

1

The following STIG item https://stigaview.com/products/rhel9/v1r3/RHEL-09-255065/ Does not have the "-oCiphers=" parameter, it uses "Cipher " instead. Our rule implementation https://github.com/ComplianceAsCode/content/blob/34011f7d23235aa128edef33c929097e62201433/controls/stig_rhel9.yml#L1880 targets the RHEL8 STIG implementation only (https://stigaview.com/products/rhel8/v1r13/RHEL-08-010291/), the rule needs...

ggbecker

#### Description of problem: Discovered when trying to remediate an ospp profile Ansible playbook: ``` TASK [Ensure sysctl kernel.unprivileged_bpf_disabled is set] ******************* fatal: [192.168.121.140]: FAILED! => {"changed": false, "msg": "Failed...

comps

template issue: file_groupowner fails tests of itself

2

#### Description of problem: The rule `root_permissions_syslibrary_files` uses template `file_groupowner`. During automatus.py rule-based test, the template failed the missing_file_test.pass at initial stage. These are two causes: - /lib/dbus-1.0/dbus-daemon-launch-helper has GID...

alanmcanonical

Update upstream OSCAL content from usnistogv and GSA

1

Updates upstream OSCAL content - usnistgov NIST 800-53 from "https://raw.githubusercontent.com/usnistgov/oscal-content/690f517daaf3a6cbb4056d3cde6eae2756765620/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json" - GSA FedRAMP OSCAL profiles from "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json" Auto-generated by the [update-oscal](https://github.com/ComplianceAsCode/content/blob/master/.github/workflows/update-oscal.yml) workflow.

github-actions[bot]

Move the additional packages into Dockerfile

3

#### Description: - Move the additional packages into Dockerfile #### Rationale: - Align with other distro

alanmcanonical

Update select rules for RHEL not to modify systemd units in /usr

4

#### Description: * Update `require_singleuser_auth` to use drop in files * Update `require_emergency_target_auth` to use drop in files #### Rationale: Help with RPM verify pass.

Mab879

Introduce new CPE platform for bootable containers

2

This commit adds a new CPE platform `bootc`. Matches: - bootc (RHEL Image Mode) containers and container images - running bootc (RHEL Image Mode) systems Does not match: - classic...

jan-cerny

Change rule platforms - Part 4: Individual rules in the "system" group

4

Many rules currently marked with the `machine` platform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the...

jan-cerny

Add SCE check to timer_enabled template

2

During the build of bootable container images we can't use OVAL check in rules from the timer_enabled template because the OVAL tests depend on dbus which isn't available in that...

jan-cerny