OpenSCAP results notapplicable

OpenSCAP doesn’t seem to be completely working out of the box.

dnf install openscap scap-security-guide -y

I wanted to use the following profile, xccdf_org.ssgproject.content_profile_cui that was found using this command.

oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml

Ran this command for scan results.

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cui /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml

All results came back as notapplicable.
Example:

Title   Disable KDump Kernel Crash Analyzer (kdump)
Rule    xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result  notapplicable

To get around this I removed the following line 75342 from /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml
<xccdf-1.2:platform idref="cpe:/o:rocky:rocky:8"/> and the expected pass/fail results were returned.

Example:

Title   Disable KDump Kernel Crash Analyzer (kdump)
Rule    xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result  fail

Tested on the latest Rocky Linux release 8.4 (Green Obsidian) GA

Is this a bug or am I missing something?
Thank you.

Hi,
I’ve got the exact same problem.
I realized it when I ran the command to get a report after applying a profile with anaconda.
This leads to a huge problem of false confidence (IMO), not sure how I can help (at least I’ll post a workaround if I find one).
Matthieu

Hallo all
I am really interested in any update regarding oscap for Rocky Linux.
Has anybody be able to run a standard scan for Rocky Linux similar to Centos ?
I would like to migrate and enable that all new VMs are Rocky Linux but I would like that they pass a standard scan.
Thank you
Julian

We ran into the same issue when trying to apply the PCI-DSS profile on the official AWS AMI. Did anyone figure out how to get it to work?

We are pushing a scap-security-guide update package. We anticipate mirrors will receive it sometime next day GMT. I know this doesn’t address the installer itself. We are continuing to refine the security guide and hopefully in the 8.5 release, we’ll make changes in the installer as well. Coming soon, we’ll also have a security extras repo too, which will have things more inline with upstream OpenSCAP.