Matus Marhefka

Remove atomic dependency from oscap-docker script and fix to work on Fedora 32

4

## Description of Problem: Scan on Fedora 32 using `oscap-docker` results in following: ``` Using Atomic API Traceback (most recent call last): File "/usr/bin/oscap-docker", line 101, in rc = OscapAtomicScan.scan(OS,...

Remediation of containers for configuration compliance has inconsistent output

1

When remediating containers for configuration compliance, the output of scan vs. remediation is inconsistent: ``` # atomic scan --remediate --scan_type configuration_compliance --scanner_args \ profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa \ registry.access.redhat.com/rhel7:latest ............. Configure Time Service...

openscap container image: provide option for user to find out what datastreams and profiles are supported

3

When scanning for **configuration compliance** using atomic scan user has no easy way how to find out what **datastreams** and **profiles** are supported (bundled inside the openscap container image). The...

Rule updates wrt RHEL9 STIG

3

#### Description: List of updated rules: - xwindows_runlevel_target - xwindows_remove_packages - wireless_disable_interfaces - use_pam_wheel_for_su - usbguard_generate_policy - tftpd_uses_secure_mode #### Rationale: - RHEL9 STIG alignment

Rule `tftpd_uses_secure_mode` needs a new RHEL9 specific OVAL, Bash and Ansible remediations, and update of test scenarios. The rule has changed on RHEL9 and it differs compared to older RHELs,...

sshd_oval_check macro issue with distributed configuration

1

#### Description of problem: There is an issue in the OVAL template (`sshd_oval_check`) with `missing_parameter_pass=true` and `config_is_distributed=true` options combination. In such case the OVAL check will not detect wrong value...

### Example of a problem There are 2 rules in a benchmark: 1. Prevent user from disabling the screen lock (tmux should not be listed in `/etc/shells` file, rule `no_tmux_in_shells`)...

[RFE] Add option to generate HTML report from openscap remediation

1

Add option to generate HTML report during openscap remediation (`oscap xccdf eval --remediate ...`) when building a hardened image. The option can be disabled by default, but it would help...

Some rules in PCI-DSS profile are missing OCIL (RHEL8)

3

#### Description of problem: The following rules from PCI-DSS in RHEL8 are missing OCIL: ``` audit_rules_session_events audit_rules_immutable chronyd_or_ntpd_specify_multiple_servers disable_prelink security_patches_up_to_date ``` #### SCAP Security Guide Version: upstream master

Rule ensure_redhat_gpgkey_installed is evaluated as notchecked on RHEL-10

1

#### Description of problem: The rule `ensure_redhat_gpgkey_installed` evaluates as notchecked (No candidate or applicable check found) on RHEL-10 which when combined with other gpgcheck rules in SCAP profiles (`gpgcheck_globally_activated`, `gpgcheck_never_disabled`,...