search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.37k stars 377 forks source link

Rule 'Enable auditd service' not exhibited in command's output and HTML report #1818

Open Ricky-Tigg opened 3 years ago

Ricky-Tigg commented 3 years ago

Description of Problem:

Rule Enable auditd Service is not exhibited.

OpenSCAP Version: openscap-scanner 1.3.5 Operating System & Version: Fedora; v. 35; Kernel: v.5.14

Preamble

The existence of involved rule is established by scap-workbench v. 1.2.1; As noticeable no status is assigned to the rule, which is an exception and a separate issue, not eligible to this component.

scap-workbench_v 1 2 1_missing_status

Steps to Reproduce in scap-workbench:

  1. **Customise the analyse has rule Enable auditd Service selected alone;
  2. Perform the analyse as dry run then copy the generated command to clipboard.
  3. Perform the analyse.

Steps to Reproduce in terminal:

Execute the copied command.

$ oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml \
--xccdf-id scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml \
--tailoring-file /tmp/scap-workbench-CIyDdK \
--profile xccdf_org.ssgproject.content_profile_ospp_customized \
--oval-results --results /tmp/xccdf-results.xml \
--results-arf /tmp/arf.xml \
--report /tmp/report.html /tmp/scap-workbench-WuoPbE/ssg-fedora-ds.xml
$

Actual Results:

  1. The output is empty which indicates that the rule was not detected.
  2. The HTML report with defaults settings has no mention of such rule.

Expected Results:

That rule to be present both in terminal, in command's output, and HTML report.

ggbecker commented 3 years ago

This rule requires package_audit_installed to be selected as well. The OpenSCAP output is not clear on the interdependence between rules and this is something we have thought about and should be improved in the future.

Try selecting that rule as well and see if there the correct output.

Ricky-Tigg commented 3 years ago

I supposed the output was empty due to missing mention of status. I omitted to mention a relevant observation: that mention is missing,wile the combinations of rules are as follows:

Strangely while that new combination of rules:applies, the mention of status is exhibited. The inconsistency of this exhibition may be due to that it does exist rules in the code governing it that are contradictory.

scap-workbench_v 1 2 1_status_present

Indeed, that description lacks a relevant information in regard to the rule required.

scap-workbench_v 1 2 1_description