We are in the process of dressing out a rocky9.x system for a project and are trying to get the procedure down for how to modify scap benchmarks from DISA for use on Rocky 9.x. In Cent7, we were able to do a blanket replace of redhat:enterprise_linux with centos:centos and it worked. Have tried the same using rocky:rocky in place of centos:centos, however it justs generates not applicable to all tests. Would appreciate any pointers as to what needs to be changed to what, as we will have to modify new content every quarter.
So I don’t have a concrete answer I can give you on this. But I can comment on the scap-security-guide that we produce and ship in our distribution. Maybe it will lead you down the right path to figuring out what you need to do (or what we need to change) to make your downloaded guide work.
In the built-in scap-security-guide package, there is a DISA STIG. It may not be completely up to date, but there is something there. Now as Rocky Linux is a derivative of RHEL, the guides generated have specific tests to verify that it is indeed a Rocky Linux system, which will allow RHEL benchmarks to work.
I don’t know if your downloaded guide contains these kinds of checks or not, but it may be worth looking at it.
# oscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml | grep -i disa
Title: DISA STIG for Red Hat Enterprise Linux 9
Title: DISA STIG with GUI for Red Hat Enterprise Linux 9
# grep rocky:rocky /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
<cpe-dict:cpe-item name="cpe:/o:rocky:rocky:9">
<xccdf-1.2:platform idref="cpe:/o:rocky:rocky:9"/>
<oval-def:reference ref_id="cpe:/o:rocky:rocky:9" source="CPE"/>
<oval-def:reference ref_id="cpe:/o:rocky:rocky:8" source="CPE"/>
<oval-def:reference ref_id="cpe:/o:rocky:rocky:9" source="CPE"/>
# grep rl9 /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
<cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml">oval:ssg-installed_OS_is_rl9:def:1</cpe-dict:check>
<oval-def:extend_definition comment="Rocky Linux 9 installed" definition_ref="oval:ssg-installed_OS_is_rl9:def:1"/>
<oval-def:definition id="oval:ssg-installed_OS_is_rl9:def:1" version="2" class="inventory">
<oval-def:reference ref_id="installed_OS_is_rl9" source="ssg"/>
<oval-def:criterion comment="OS is Rocky Linux" test_ref="oval:ssg-test_rl9_name:tst:1"/>
<oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_rl9_version:tst:1"/>
<ind:textfilecontent54_test id="oval:ssg-test_rl9_name:tst:1" version="1" check="all" comment="Check os-release ID" state_operator="AND">
<ind:object object_ref="oval:ssg-obj_name_rl9:obj:1"/>
<ind:state state_ref="oval:ssg-state_name_rl9:ste:1"/>
<ind:textfilecontent54_test id="oval:ssg-test_rl9_version:tst:1" version="1" check="all" comment="Check os-release VERSION_ID" state_operator="AND">
<ind:object object_ref="oval:ssg-obj_version_rl9:obj:1"/>
<ind:state state_ref="oval:ssg-state_version_rl9:ste:1"/>
<ind:textfilecontent54_object id="oval:ssg-obj_name_rl9:obj:1" version="1" comment="Check os-release ID">
<ind:textfilecontent54_object id="oval:ssg-obj_version_rl9:obj:1" version="1" comment="Check os-release VERSION_ID">
<ind:textfilecontent54_state id="oval:ssg-state_name_rl9:ste:1" version="1" operator="AND">
<ind:textfilecontent54_state id="oval:ssg-state_version_rl9:ste:1" version="1" operator="AND">
<oval-def:definition id="oval:ssg-installed_OS_is_rl9:def:1" version="2" class="inventory">
<oval-def:criterion comment="OS is Rocky Linux" test_ref="oval:ssg-test_rl9_name:tst:1"/>
<oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_rl9_version:tst:1"/>
<ind:textfilecontent54_test id="oval:ssg-test_rl9_name:tst:1" version="1" check="all" comment="Check os-release ID" state_operator="AND">
<ind:object object_ref="oval:ssg-obj_name_rl9:obj:1"/>
<ind:state state_ref="oval:ssg-state_name_rl9:ste:1"/>
<ind:textfilecontent54_test id="oval:ssg-test_rl9_version:tst:1" version="1" check="all" comment="Check os-release VERSION_ID" state_operator="AND">
<ind:object object_ref="oval:ssg-obj_version_rl9:obj:1"/>
<ind:state state_ref="oval:ssg-state_version_rl9:ste:1"/>
<ind:textfilecontent54_object id="oval:ssg-obj_name_rl9:obj:1" version="1" comment="Check os-release ID">
<ind:textfilecontent54_object id="oval:ssg-obj_version_rl9:obj:1" version="1" comment="Check os-release VERSION_ID">
<ind:textfilecontent54_state id="oval:ssg-state_name_rl9:ste:1" version="1" operator="AND">
<ind:textfilecontent54_state id="oval:ssg-state_version_rl9:ste:1" version="1" operator="AND">
Thanks, this gives me a leg up on investigating this. It is possible that after 7 RH introduced some of those checks. We started using RHEL for new workstations, so we did not have the requirement to modify the benchmark, however the project community has decided to use Rocky, so I have to come up with a solution in the next month or so so we can get our fleet converted mid year. I will post anything I find here that I am allowed to
Thanks again for the pointers. Found the issue. The “not applicable” issue appears to have been a issue in early builds of 8 with the benchmark supplied with Rocky. In the associated discussion ( OpenSCAP results notapplicable - Rocky Linux General - Rocky Linux Forum ), a user had been able to get it to work by deleting a line which ran a platform idref check. This is one of the lines we had always changed in the past, and had on the failing benchmark. What appears to have changed, at least in 9, is that RHEL also includes not only the major version number, as does Rocky, but also the minor version number. Rocky appears only to return the major. Making this additional modification allowed tests to continue.
I am assuming that this may be the case for benchmarks for other distros, but that is beyond my scope. If others find that to be the case, please add to this thread.