RHEL 8 OpenSCAP STIG scan diverges from RHEL 8 DISA STIG V2R1

[bdou]

Description of problem:

A system hardened according to the RHEL 8 DISA STIG V2R1 doesn't pass the OpenSCAP scan.

Details:

This content is not aligned with content from Red Hat Enterprise Linux 8 STIG - Ver 2, Rel 1

The misalignment affects these profiles:

• RHEL 8 STIG
• RHEL 9 STIG

The misalignment affects these rules:

• RHEL-08-020220, RHEL-08-020221 ("Limit Password Reuse: password-auth" and "Limit Password Reuse: system-auth") - both these STIG items have been removed from the latest STIG release.
• RHEL-08-010151, RHEL-09-611200 ("Require Authentication for Single User Mode") - There is a bug in the scanner where it is looking in /etc/systemd/system/rescue.service.d instead of the correct file, /usr/lib/systemd/system/rescue.service.

Outcome:

• This project's content can be improved:
  • Check needs to be improved.

SCAP Security Guide Version:

0.1.75 - which is supposed to audit according to RHEL 8 STIG V2R1

External Content's Version:

DISA RHEL 8 STIG V2R1

[Mab879]

Thanks opening this issue.

I have opened a PR to fix the first issue, see #12805.

I'm not going to change the second point you mentioned for now. I will see about getting this changed to use the method used by this project. Users are not expected to modify files under /usr/lib/. This is not supported and causes issues with things like RPM verify.