1216088 – Public Cloud Hardened image fail SCAP test

Bug 1216088 - Public Cloud Hardened image fail SCAP test

Summary: Public Cloud Hardened image fail SCAP test

Status:	REOPENED

Alias:	None

Product:	PUBLIC SUSE Linux Enterprise Server 15 SP5
Classification:	openSUSE
Component:	Security Certifications (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Certification Bugs
QA Contact:

URL:	https://openqa.suse.de/tests/12441894...
Whiteboard:	SCAP
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-10-10 10:22 UTC by Ricardo Branco
Modified:	2024-05-14 17:38 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	openQA
Services Priority:
Business Priority:
Blocker:	Yes
Marketing QA Status:	---
IT Deployment:	---

Attachments
SCAP report (3.22 MB, text/html) 2023-10-10 10:22 UTC, Ricardo Branco	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ricardo Branco 2023-10-10 10:22:10 UTC

Created attachment 870036 [details]
SCAP report

Version: sle-15-SP5-Azure-BYOS-Hardened-Incidents-x86_64-Build:30957:

Steps to reproduce:
curl -o- https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml.gz | gunzip -c > oscap/suse.linux.enterprise.15.xml
sudo oscap xccdf eval --report report.html --local-files oscap/ --profile pcs-hardening /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

Attached report.html available at:
https://openqa.suse.de/tests/12441894/file/hardened-report.html

Failures:
- Set Existing Passwords Maximum Age
- Set Existing Passwords Minimum Age
- Disable SSH Root Login
- Disable SSH TCP Forwarding

Comment 1 Marcus Meissner 2023-10-10 11:00:03 UTC

please use component "Security Certifications" for SCAP related issues.

Comment 2 Marcus Meissner 2023-10-10 15:32:57 UTC

or perhaps for public cloud team actually. Robert, who takes care of hardened images?

Comment 3 Robert Schweikert 2023-10-10 16:48:22 UTC

This is testing for rules that we do not apply in the Public Cloud images, failure should be expected.

Comment 4 Ricardo Branco 2023-10-10 18:26:24 UTC

(In reply to Robert Schweikert from comment #3)
> This is testing for rules that we do not apply in the Public Cloud images,
> failure should be expected.

Who is in charge of the Public Cloud Hardened Images?

Why the same command works in the suse.sles-15-sp5-hardened-byos-gen2-20231010194250 in Azure?

Seems like a regression to me that should be explained.

Comment 5 Ricardo Branco 2024-05-14 17:38:05 UTC

Not seen in latest 15-SP6 GCE image:
https://openqa.suse.de/tests/14299882/file/img_proof-report.html