Bug 1216088

Summary: Public Cloud Hardened image fail SCAP test
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5 Reporter: Ricardo Branco <rbranco>
Component: Security CertificationsAssignee: Certification Bugs <certification-bugs>
Status: REOPENED --- QA Contact:
Severity: Normal    
Priority: P5 - None CC: felice.maccaro, meissner, pdostal, rjschwei
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/12441894/modules/hardened/steps/23
Whiteboard: SCAP
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: SCAP report

Description Ricardo Branco 2023-10-10 10:22:10 UTC 
Created attachment 870036 [details]
SCAP report

Version: sle-15-SP5-Azure-BYOS-Hardened-Incidents-x86_64-Build:30957:

Steps to reproduce:
curl -o- https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml.gz | gunzip -c > oscap/suse.linux.enterprise.15.xml
sudo oscap xccdf eval --report report.html --local-files oscap/ --profile pcs-hardening /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

Attached report.html available at:
https://openqa.suse.de/tests/12441894/file/hardened-report.html

Failures:
- Set Existing Passwords Maximum Age
- Set Existing Passwords Minimum Age
- Disable SSH Root Login
- Disable SSH TCP Forwarding
Comment 1 Marcus Meissner 2023-10-10 11:00:03 UTC 
please use component "Security Certifications" for SCAP related issues.
Comment 2 Marcus Meissner 2023-10-10 15:32:57 UTC 
or perhaps for public cloud team actually. Robert, who takes care of hardened images?
Comment 3 Robert Schweikert 2023-10-10 16:48:22 UTC 
This is testing for rules that we do not apply in the Public Cloud images, failure should be expected.
Comment 4 Ricardo Branco 2023-10-10 18:26:24 UTC 
(In reply to Robert Schweikert from comment #3)
> This is testing for rules that we do not apply in the Public Cloud images,
> failure should be expected.

Who is in charge of the Public Cloud Hardened Images?

Why the same command works in the suse.sles-15-sp5-hardened-byos-gen2-20231010194250 in Azure?

Seems like a regression to me that should be explained.
Comment 5 Ricardo Branco 2024-05-14 17:38:05 UTC 
Not seen in latest 15-SP6 GCE image:
https://openqa.suse.de/tests/14299882/file/img_proof-report.html