OSCAP cpe and notapplicable STIG Help for Rocky/RHEL 8.8

I am fairly new to using OpenSCAP. I want to use it to apply the STIG here against a Kubernetes host that is running RKE2 Kubernetes. I have been off to a bumpy start so far, and was hoping to gain some insight from members here on the things I am not understanding.

I installed openscap with these commands:
dnf update -y && dnf install -y openscap-scanner && dnf install -y scap-workbench.

Running this command for scan results:
oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --report report.html U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark.xml

And initially, every result comes back as “notapplicable.” Upon closer investigation, I had to change line 60 of the XML document from:
<xccdf:platform idref="cpe:/a:kubernetes:kubernetes:-" />
to
<<xccdf:platform idref="cpe:/o:rocky:rocky:8" />

After rerunning the scan command, I now get some tests that yield a pass/fail result, though many still are notapplicable, and I still am confused on a few items:

  • What is the actual purpose of having cpe:/a:kubernetes:kubernetes:- for various cpe fields in the XML? Am I missing something from my installation to have that resolve properly and am actually wrong changing that to the supported oscap rocky CPE?
  • There are other referenced/checked files that I cannot seem to locate… are these simply defined within the initial STIG XML:
Referenced check files:
      U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-oval.xml
       system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-oval.xml
        Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-cpe-oval.xml
Dictionaries:
        Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml
  • Running this against a RKE2 Kubernetes host with RHEL 8 instead of Rocky 8, I get slightly different evaluation results (still notapplicable, and also does not seem to be functioning correctly), but with an extra step to verify if Kubernetes is installed which resolves to unknown even though it is installed.

Rocky 8

Title
	The Kubernetes API Server must have an audit log path set.
Rule
	xccdf_mil.disa.stig_rule_SV-242402r927248_rule
Ident
	CCI-001464
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule'. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1085:_xccdf_policy_rule_evaluate]
I: oscap: Evaluating definition 'oval:org.open-scap.cpelinux:def:8': Rocky Linux 8. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpelinux:def:8' evaluated as true. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ind:def:100000': The system has a Kubernetes Control Plane initialized.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ind:def:100000' evaluated as false. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule' is not applicable. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1092:_xccdf_policy_rule_evaluate]
Result
	notapplicable

RHEL 8

Title
	The Kubernetes API Server must have an audit log path set.
Rule
	xccdf_mil.disa.stig_rule_SV-242402r927248_rule
Ident
	CCI-001464
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule'. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1085:_xccdf_policy_rule_evaluate]
I: oscap: Evaluating definition 'oval:org.open-scap.cpelinux:def:8': Red Hat Enterprise Linux 8. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpelinux:def:8' evaluated as true. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.kubernetes:def:1': Kubernetes is installed.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.kubernetes:def:1' evaluated as unknown. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ind:def:100000': The system has a Kubernetes Control Plane initialized.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ind:def:100000' evaluated as false. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule' is not applicable. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1092:_xccdf_policy_rule_evaluate]
Result
	notapplicable

Any guidance, support, workarounds are appreciated! Thank you.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.