openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

Rule 'Enable auditd service' not exhibited in command's output and HTML report

Open Ricky-Tigg opened this issue 4 years ago • 2 comments

Description of Problem:

Rule Enable auditd Service is not exhibited.

OpenSCAP Version: openscap-scanner 1.3.5 Operating System & Version: Fedora; v. 35; Kernel: v.5.14

Preamble

The existence of involved rule is established by scap-workbench v. 1.2.1; As noticeable no status is assigned to the rule, which is an exception and a separate issue, not eligible to this component.

scap-workbench_v 1 2 1_missing_status

Steps to Reproduce in scap-workbench:

  1. **Customise the analyse has rule Enable auditd Service selected alone;
  2. Perform the analyse as dry run then copy the generated command to clipboard.
  3. Perform the analyse.

Steps to Reproduce in terminal:

Execute the copied command.

$ oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml \
--xccdf-id scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml \
--tailoring-file /tmp/scap-workbench-CIyDdK \
--profile xccdf_org.ssgproject.content_profile_ospp_customized \
--oval-results --results /tmp/xccdf-results.xml \
--results-arf /tmp/arf.xml \
--report /tmp/report.html /tmp/scap-workbench-WuoPbE/ssg-fedora-ds.xml
$

Actual Results:

  1. The output is empty which indicates that the rule was not detected.
  2. The HTML report with defaults settings has no mention of such rule.

Expected Results:

That rule to be present both in terminal, in command's output, and HTML report.

Ricky-Tigg avatar Oct 20 '21 12:10 Ricky-Tigg

This rule requires package_audit_installed to be selected as well. The OpenSCAP output is not clear on the interdependence between rules and this is something we have thought about and should be improved in the future.

Try selecting that rule as well and see if there the correct output.

ggbecker avatar Oct 20 '21 12:10 ggbecker

I supposed the output was empty due to missing mention of status. I omitted to mention a relevant observation: that mention is missing,wile the combinations of rules are as follows:

  • all rules selected, therefore including package_audit_installed;
  • service_auditd_enabled selected alone.

Strangely while that new combination of rules:applies, the mention of status is exhibited. The inconsistency of this exhibition may be due to that it does exist rules in the code governing it that are contradictory.

scap-workbench_v 1 2 1_status_present

Indeed, that description lacks a relevant information in regard to the rule required.

scap-workbench_v 1 2 1_description

Ricky-Tigg avatar Oct 20 '21 15:10 Ricky-Tigg