Description of problem:
The applicability diff review performed during pre-relase stabilization of the 0.1.81 release has shed light on the rule package_rng-tools_installed.
The rule package_rng-tools_installed is part of RHEL 8 STIG and RHEL 9 STIG profile, it isn't part of any other profile.
The rule has platform set to system_with_kernel and not runtime_kernel_fips_enabled. That means it should be applicable on systems that aren't in FIPS mode. However, the rule is part of STIG and STIG requires FIPS. Therefore, the rule should be always not applicable if put in STIG, which leads to a question why the rule is part of STIG.
I see 2 possible outcomes:
- either the applicability of the rule is wrong and it shall have different
platform
- or it shouldn't be in the profile
Additionally, it's also suspicious that in the stabilization test results the rule package_rng-tools_installed is sometimes evaluated as notapplicable and sometimes is pass. We expect it to be notapplicable always.
- The passes in
/hardening/host-os probably can be explained by the fact that we don't get hosts running in FIPS mode.
- passing in
/hardening/image-builder/stig seems to be a bug
- passing in
/hardening/container/bootc-image-builder/stig also seems to be a bug
SCAP Security Guide Version:
Current stabilization branch as of 2026-05-19 as of HEAD 3af66f7
Operating System Version:
8.10 RHEL-8.10.0-updates-20260517.2
9.2 RHEL-9.2.0-updates-20260517.1
9.4 RHEL-9.4.0-updates-20260517.1
9.6 RHEL-9.6.0-updates-20260517.1
9.8 RHEL-9.8.0-20260409.3
Steps to Reproduce:
- view results for rule
package_rng-tools_installed in the stabilization
Actual Results:
mixed pass and not applicable results
Expected Results:
pass and not applicable results clarified (ideally as comment) or rule's platfrom updated or rule removed
Additional Information/Debugging Steps:
Description of problem:
The applicability diff review performed during pre-relase stabilization of the 0.1.81 release has shed light on the rule
package_rng-tools_installed.The rule package_rng-tools_installed is part of RHEL 8 STIG and RHEL 9 STIG profile, it isn't part of any other profile.
The rule has platform set to
system_with_kernel and not runtime_kernel_fips_enabled. That means it should be applicable on systems that aren't in FIPS mode. However, the rule is part of STIG and STIG requires FIPS. Therefore, the rule should be always not applicable if put in STIG, which leads to a question why the rule is part of STIG.I see 2 possible outcomes:
platformAdditionally, it's also suspicious that in the stabilization test results the rule
package_rng-tools_installedis sometimes evaluated asnotapplicableand sometimes ispass. We expect it to be notapplicable always./hardening/host-osprobably can be explained by the fact that we don't get hosts running in FIPS mode./hardening/image-builder/stigseems to be a bug/hardening/container/bootc-image-builder/stigalso seems to be a bugSCAP Security Guide Version:
Current stabilization branch as of 2026-05-19 as of HEAD 3af66f7
Operating System Version:
8.10 RHEL-8.10.0-updates-20260517.2
9.2 RHEL-9.2.0-updates-20260517.1
9.4 RHEL-9.4.0-updates-20260517.1
9.6 RHEL-9.6.0-updates-20260517.1
9.8 RHEL-9.8.0-20260409.3
Steps to Reproduce:
package_rng-tools_installedin the stabilizationActual Results:
mixed pass and not applicable results
Expected Results:
pass and not applicable results clarified (ideally as comment) or rule's platfrom updated or rule removed
Additional Information/Debugging Steps: