From 53761d4dba278243222822f1a00a1ec9ba033891 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Thu, 29 Feb 2024 16:15:26 -0500
Subject: [PATCH] FIX: EA installers not downloadable from SOC + fix stg
 logging

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
---
 salt/stig/enabled.sls         | 21 ++++++++++++---------
 salt/stig/files/sos-oscap.xml |  6 +++---
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/salt/stig/enabled.sls b/salt/stig/enabled.sls
index 1f1a064fd..0f347f8bc 100644
--- a/salt/stig/enabled.sls
+++ b/salt/stig/enabled.sls
@@ -48,15 +48,17 @@ update_stig_profile:
 
 {% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
 run_initial_scan:
-  module.run:
-  - name: openscap.xccdf
-  - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2
 {% endif %}
 
 run_remediate:
-  module.run:
-    - name: openscap.xccdf
-    - params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --remediate --profile {{ OSCAP_PROFILE_NAME }} {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2
 
 {# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #}
 disable_ctrl_alt_del_action:
@@ -82,9 +84,10 @@ remove_nullok_from_system_auth_auth:
     - backup: '.bak'
 
 run_post_scan:
-  module.run:
-    - name: openscap.xccdf
-    - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2
 
 {%   else %}
 {{sls}}_no_license_detected:
diff --git a/salt/stig/files/sos-oscap.xml b/salt/stig/files/sos-oscap.xml
index 3f78af8c0..6c4c93778 100644
--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
@@ -611,7 +611,7 @@ the release. Additionally, the original security profile has been modified by Se
         <ns5:select idref="xccdf_org.ssgproject.content_rule_account_emergency_expire_date" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir" selected="true" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir" selected="false" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_account_temp_expire_date" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_account_unique_id" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_accounts_authorized_local_users" selected="true" />
@@ -1007,8 +1007,8 @@ the release. Additionally, the original security profile has been modified by Se
         <ns5:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="false" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="false" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true" />
         <ns5:select idref="xccdf_org.ssgproject.content_rule_service_chronyd_enabled" selected="true" />