I am fairly new to using OpenSCAP. I want to use it to apply the STIG here against a Kubernetes host that is running RKE2 Kubernetes. I have been off to a bumpy start so far, and was hoping to gain some insight from members here on the things I am not understanding.
I installed openscap with these commands:
dnf update -y && dnf install -y openscap-scanner && dnf install -y scap-workbench
.
Running this command for scan results:
oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --report report.html U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark.xml
And initially, every result comes back as “notapplicable.” Upon closer investigation, I had to change line 60 of the XML document from:
<xccdf:platform idref="cpe:/a:kubernetes:kubernetes:-" />
to
<<xccdf:platform idref="cpe:/o:rocky:rocky:8" />
After rerunning the scan command, I now get some tests that yield a pass/fail result, though many still are notapplicable, and I still am confused on a few items:
- What is the actual purpose of having
cpe:/a:kubernetes:kubernetes:-
for various cpe fields in the XML? Am I missing something from my installation to have that resolve properly and am actually wrong changing that to the supported oscap rocky CPE? - There are other referenced/checked files that I cannot seem to locate… are these simply defined within the initial STIG XML:
Referenced check files:
U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-oval.xml
Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-cpe-oval.xml
Dictionaries:
Ref-Id: scap_mil.disa.stig_cref_U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml
- Running this against a RKE2 Kubernetes host with RHEL 8 instead of Rocky 8, I get slightly different evaluation results (still notapplicable, and also does not seem to be functioning correctly), but with an extra step to verify if Kubernetes is installed which resolves to
unknown
even though it is installed.
Rocky 8
Title
The Kubernetes API Server must have an audit log path set.
Rule
xccdf_mil.disa.stig_rule_SV-242402r927248_rule
Ident
CCI-001464
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule'. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1085:_xccdf_policy_rule_evaluate]
I: oscap: Evaluating definition 'oval:org.open-scap.cpelinux:def:8': Rocky Linux 8. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpelinux:def:8' evaluated as true. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ind:def:100000': The system has a Kubernetes Control Plane initialized.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ind:def:100000' evaluated as false. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule' is not applicable. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1092:_xccdf_policy_rule_evaluate]
Result
notapplicable
RHEL 8
Title
The Kubernetes API Server must have an audit log path set.
Rule
xccdf_mil.disa.stig_rule_SV-242402r927248_rule
Ident
CCI-001464
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule'. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1085:_xccdf_policy_rule_evaluate]
I: oscap: Evaluating definition 'oval:org.open-scap.cpelinux:def:8': Red Hat Enterprise Linux 8. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:org.open-scap.cpelinux:def:8' evaluated as true. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.kubernetes:def:1': Kubernetes is installed.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.kubernetes:def:1' evaluated as unknown. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ind:def:100000': The system has a Kubernetes Control Plane initialized.. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:159:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ind:def:100000' evaluated as false. [oscap(25710):oscap(7fbea1e5e3c0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Rule 'xccdf_mil.disa.stig_rule_SV-242402r927248_rule' is not applicable. [oscap(25710):oscap(7fbea1e5e3c0):xccdf_policy.c:1092:_xccdf_policy_rule_evaluate]
Result
notapplicable
Any guidance, support, workarounds are appreciated! Thank you.