-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auditd_audispd_configure_sufficiently_large_partition reports unknown after #11816 #11891
Comments
A straightforward idea (thanks to @jan-cerny) is to define the version Here is the changelog I found about OVAL 5.11.2 And this is the relevant issue: These issues not relevant to
Analyzing the changelog I didn't find any obvious negative impact in our content if we set the version from The OVAL 5.11.2 is stable and was released in 2016-11-30 and is the current version. |
It seems the OVAL condition was introduced by a050df5, in 2021. |
Description of problem:
After the removal of a condition based on the OVAL version in
auditd_audispd_configure_sufficiently_large_partition
it started to reportunknown
result:SCAP Security Guide Version:
master branch as of 2024-04-25
Operating System Version:
RHEL 9 and RHEL 8
Steps to Reproduce:
2.1. scp build/ssg-rhel9-ds.xml root@rhel9:
3.1 oscap xccdf eval --profile stig --rule xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ssg-rhel9-ds.xml
Actual Results:
Expected Results:
Pass or Fail based on the partition size.
Additional Information/Debugging Steps:
Investigating the OVAL and some ARF files it was noticed an issue with the OVAL objects in this rule.
However, when I tried to fix the issue I identified another problem that blocked me to refactor the OVAL.
To properly calculate the partition size it is necessary to collect the
total_space
andblock_size
properties as specified in OVAL documentation:However, the
partition_probe
in OpenSCAP has a condition to collect theblock_size
properly:The condition was introduced by OpenSCAP/openscap@683ed8c
I didn't find more context about this condition.
I didn't find an alternative to get the partition size without this
block_size
property. I am open to ideas.So, we should first consider if we can update this on the scanner side. Otherwise, we should revert the condition removed by #11816 to avoid this issue.
The text was updated successfully, but these errors were encountered: