content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule postfix_prevent_unrestricted_relay fails on STIG profile

Open yuumasato opened this issue 3 years ago • 1 comments

Description of problem:

During first remediation of STIG profile, rule postfix_prevent_unrestricted_relay is not applicable because postfix is not installed. During remediation package postfix is installed and the rule starts to fail.

SCAP Security Guide Version:

5caa381157e979f65cba48f5561beab8fa84c75d

Operating System Version:

RHEL-8

Steps to Reproduce:

  1. Remediate with STIG profile
  2. Verify that rule postfix_prevent_unrestricted_relay is not applicable
  3. Scan with the STIG profile
  4. Verify that rule postfix_prevent_unrestricted_relay fails

Actual Results:

Rule is notapplicable during remediation but results in fail on subsequent scans

Expected Results:

The rule should evaluate to pass.

Additional Information/Debugging Steps:

This is another case of two remediation runs required.

yuumasato avatar Jul 28 '22 08:07 yuumasato

The same problem also appears on RHEL 9.1 with STIG profile:

python3 /tmp/tmp.MYh8tUzM1Q/rpmbuild/BUILD/scap-security-guide-0.1.64/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel9-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml --mode online --remediate-using oscap xccdf_org.ssgproject.content_profile_stig

jan-cerny avatar Aug 10 '22 06:08 jan-cerny

There is no easy fix - must be fixed on scanner side.

mildas avatar Aug 11 '22 15:08 mildas

Closing, reported an issue in openscap - https://github.com/OpenSCAP/openscap/issues/1880

matusmarhefka avatar Aug 16 '22 14:08 matusmarhefka