Description of problem:

This seems like a broken test that should never have worked .. ?

A .pass.sh test is defined in the README as

Success scenario - script is expected to prepare machine in such way that the rule is expected to pass.

But the test does

if ! grep -q ssh_keys /etc/group; then
    groupadd ssh_keys
fi

FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
chgrp ssh_keys "$FAKE_KEY"

where the rule description says:

SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by root group.

So of course the oscap scan fails, failing the test, when the test intentionally creates a scenario that fails the check (a new ssh_keys group will not have GID 0).

Even when reusing an existing group, the GID is not 0, ie. on RHEL-8 it is 995, on my Fedora it's 999, likely created with groupadd -r / --system.

Attaching ARF in case you'd like to investigate.

SCAP Security Guide Version:

master @ 2edb023

Operating System Version:

RHEL-10

Steps to Reproduce:

1. Run automatus scenarios for file_groupownership_sshd_private_key

Additional Information/Debugging Steps:

• ARF: initial-arf.xml.gz