Applying remediations after full scan causes dependency problems between related rules #1880

matusmarhefka · 2022-08-16T14:37:32Z

Example of a problem

There are 2 rules in a benchmark:

Prevent user from disabling the screen lock (tmux should not be listed in /etc/shells file, rule no_tmux_in_shells)
Install the tmux package (rule package_tmux_installed)

The tmux package is not installed by default, therefore result of remediation will be:
1: pass
2: fixed

But additional scan of the system will result in:
1: fail
2: pass
This is because the remediation of the rule package_tmux_installed will add tmux into the /etc/shells file which will make the rule no_tmux_in_shells fail.

There are many more such cases (and slowly they are increasing in count), e.g.:
ComplianceAsCode/content#8913
ComplianceAsCode/content#8487
ComplianceAsCode/content#9132
ComplianceAsCode/content#9250

Currently, the only workaround is to run the remediation once more which should fix those dependent rules.
The issue can be solved by applying a remediation after scanning each rule which would solve the issue if rules are properly orderend in a benchmark (e.g. rules about package installation/removal are sorted first in the benchmark).

The text was updated successfully, but these errors were encountered:

yuumasato mentioned this issue Aug 23, 2022

Rule zipl_bootmap_is_up_to_date fails after OSPP hardening ComplianceAsCode/content#9312

Closed

marcusburghardt mentioned this issue Mar 3, 2023

Rule password_set_min|max_life_existing failing ComplianceAsCode/content#8144

Closed

mildas mentioned this issue May 31, 2023

Rule zipl_bootmap_is_up_to_date fails to remediate ComplianceAsCode/content#10654

Closed

marcusburghardt mentioned this issue Jun 12, 2023

Rule accounts_password_pam_retry fails ComplianceAsCode/content#10665

Closed

This was referenced Jul 26, 2023

SLE Service timesyncd configured rule ComplianceAsCode/content#10670

Merged

Rule service_rpcbind_disabled is failing after CIS workstation L2 kickstart installation ComplianceAsCode/content#10901

Closed

marcusburghardt mentioned this issue Aug 22, 2023

fix for rpm_verify_permissions invalidates file_permissions_grub2_cfg ComplianceAsCode/content#2892

Closed

mildas mentioned this issue Aug 28, 2023

configure_tmux_lock_* rules result in notaplicable -> fail ComplianceAsCode/content#11031

Closed

marcusburghardt mentioned this issue Sep 4, 2023

Dependent rules to be selected together for successful remediation ComplianceAsCode/content#2556

Closed

mildas mentioned this issue Feb 12, 2024

Rule configure_bashrc_tmux fails after hardening/installation ComplianceAsCode/content#11569

Closed

comps mentioned this issue Jul 24, 2024

Introduce ability to generate kickstarts #2136

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Applying remediations after full scan causes dependency problems between related rules #1880

Applying remediations after full scan causes dependency problems between related rules #1880

matusmarhefka commented Aug 16, 2022

Applying remediations after full scan causes dependency problems between related rules #1880

Applying remediations after full scan causes dependency problems between related rules #1880

Comments

matusmarhefka commented Aug 16, 2022

Example of a problem