ocp3 test wrong for xccdf_org.ssgproject.content_rule_api_server_secure_port

Description of problem:

Hi currently the test for the rule xccdf_org.ssgproject.content_rule_api_server_secure_port in the profile xccdf_org.ssgproject.content_profile_opencis-master in the file ssg-ocp3-ds.xml is wrong, since the rule checks for the existance of

kubernetesMasterConfig: apiServerArguments: secure-port:

see checks:

    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="secure-port is configured" id="oval:ssg-test_api_server_secure_port:tst:1" version="1">
      <ind:object object_ref="oval:ssg-object_api_server_secure_port:obj:1"/>
      <ind:state state_ref="oval:ssg-state_api_server_secure_port:ste:1"/>
    </ind:textfilecontent54_test>

    <ind:textfilecontent54_state id="oval:ssg-state_api_server_secure_port:ste:1" version="1">
      <ind:subexpression datatype="int" operation="equal">0</ind:subexpression>
    </ind:textfilecontent54_state>

But the setting is only ok, if the port is set to a different value than 0 (regarding the description) - like

kubernetesMasterConfig: apiServerArguments: secure-port:

8443

or is not set at all.

In my envoronments this value is not set at all - and this is ok. So the check should only check for the existance of

apiServerArguments: secure-port:

id this is the case - the result must be "false" - all other findings should be true

SCAP Security Guide Version:

latest

Operating System Version:

OpenShift 3.11 / RedHat Linux 7.8

Steps to Reproduce:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_opencis-master --rule xccdf_org.ssgproject.content_rule_api_server_secure_port --results /var/tmp/$(hostname)-hardening-ocp3-report.xml --report /var/tmp/$(hostname)-hardening-ocp3-report.html ssg-ocp3-ds.xml

Actual Results:

true, if apiServerArguments: secure-port:

Expected Results:

false, if apiServerArguments: secure-port:

8443

ComplianceAsCode / content