Running Openscap scans

Support for security such as Firewalls and securing linux
Post Reply
droidus
Posts: 26
Joined: 2018/10/14 13:23:12

Running Openscap scans

Post by droidus » 2019/10/26 23:31:57

I am trying to run openscap scans. I tried the following:

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
and

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
But they all return with a status of "notapplicable".
How can I run these?

teknohippie
Posts: 1
Joined: 2019/05/14 02:24:36

Re: Running Openscap scans

Post by teknohippie » 2019/12/09 18:20:00

I find myself facing this same issue.
Has anyone else encountered this or discovered a solution?

FtEustis
Posts: 1
Joined: 2019/12/12 14:50:18

Re: Running Openscap scans

Post by FtEustis » 2019/12/12 14:55:49

I'm having the same issue, and would love to figure it out. So far I've learned it has something to do with CPE, and how OSCAP is looking for RHEL 7 while running the DISA content. Still searching.

fassl
Posts: 2
Joined: 2020/03/30 06:32:11

Re: Running Openscap scans

Post by fassl » 2020/03/30 06:36:00

The nuclear option is to do the following:

Code: Select all

sudo sed -i \
  -e 's|idref="cpe:/o:redhat:enterprise_linux|idref="cpe:/o:centos:centos|g' \
  -e 's|ref_id="cpe:/o:redhat:enterprise_linux|ref_id="cpe:/o:centos:centos|g' \
  /usr/share/xml/scap/ssg/content/ssg-rhel*.xml
It seems the tests are set explicitly for redhat:enterprise_linux but i cannot be sure.

regards

fassl
Posts: 2
Joined: 2020/03/30 06:32:11

Re: Running Openscap scans

Post by fassl » 2020/03/30 12:57:31

I just found this: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and when you get the source code you can build them yourself with:

Code: Select all

./build_product --derivatives rhel?

popsec
Posts: 1
Joined: 2020/04/14 19:52:50

Re: Running Openscap scans

Post by popsec » 2020/04/14 20:00:12

I'm encountering the exact same issue as droidus. I can execute the scan, but all results in the console and in the report are showing as not applicable. Has anyone found a solution to this? I just downloaded the security content this morning and the CPE dictionary for rhel8 includes CentOS as fassl mentioned, but still every finding is not applicable.

Post Reply

Return to “CentOS 8 - Security Support”