OpenSCAP results notapplicable

canon · June 22, 2021, 12:42pm

OpenSCAP doesn’t seem to be completely working out of the box.

dnf install openscap scap-security-guide -y

I wanted to use the following profile, xccdf_org.ssgproject.content_profile_cui that was found using this command.

oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml

Ran this command for scan results.

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cui /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml

All results came back as notapplicable.
Example:

Title   Disable KDump Kernel Crash Analyzer (kdump)
Rule    xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result  notapplicable

To get around this I removed the following line 75342 from /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml
<xccdf-1.2:platform idref="cpe:/o:rocky:rocky:8"/> and the expected pass/fail results were returned.

Example:

Title   Disable KDump Kernel Crash Analyzer (kdump)
Rule    xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result  fail

Tested on the latest Rocky Linux release 8.4 (Green Obsidian) GA

Is this a bug or am I missing something?
Thank you.

err0r500 · August 3, 2021, 10:12am

Hi,
I’ve got the exact same problem.
I realized it when I ran the command to get a report after applying a profile with anaconda.
This leads to a huge problem of false confidence (IMO), not sure how I can help (at least I’ll post a workaround if I find one).
Matthieu

judaly · August 5, 2021, 6:23pm

Hallo all
I am really interested in any update regarding oscap for Rocky Linux.
Has anybody be able to run a standard scan for Rocky Linux similar to Centos ?
I would like to migrate and enable that all new VMs are Rocky Linux but I would like that they pass a standard scan.
Thank you
Julian

gsantos · September 17, 2021, 9:34pm

We ran into the same issue when trying to apply the PCI-DSS profile on the official AWS AMI. Did anyone figure out how to get it to work?

nazunalika · September 20, 2021, 6:45pm

We are pushing a scap-security-guide update package. We anticipate mirrors will receive it sometime next day GMT. I know this doesn’t address the installer itself. We are continuing to refine the security guide and hopefully in the 8.5 release, we’ll make changes in the installer as well. Coming soon, we’ll also have a security extras repo too, which will have things more inline with upstream OpenSCAP.

tjyang · November 21, 2021, 9:17am

Thanks for bring up openscap topic.

I tested same two commands and the output on RL8.5

@canon, can you confirm if it works on RL8.5 ? I am not familiar with openscap tool at all and leaning to use this tool.

oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cui /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml
[me@rocky8t01 ]$ cat /etc/redhat-release
Rocky Linux release 8.5 (Green Obsidian)
[me@rocky8t01 ]$

Running the evaluate command, the output looks ok to me.


<snipped>
Title  Disable KDump Kernel Crash Analyzer (kdump)
Rule  xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result        fail

Title   Install firewalld Package
Rule    xccdf_org.ssgproject.content_rule_package_firewalld_installed
Result  pass


Title   Enable Kernel Page-Table Isolation (KPTI)
Rule    xccdf_org.ssgproject.content_rule_grub2_pti_argument
Result  fail

Title   Disable vsyscalls
Rule    xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Result  informational

Title   Set the UEFI Boot Loader Password
Rule    xccdf_org.ssgproject.content_rule_grub2_uefi_password
Result  notapplicable

Title   Enable Auditing to Start Prior to the Audit Daemon in zIPL
Rule    xccdf_org.ssgproject.content_rule_zipl_audit_argument
Result  notapplicable