Page 1 of 1

Running Openscap scans

Posted: 2019/10/26 23:31:57
by droidus
I am trying to run openscap scans. I tried the following:

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
and

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
But they all return with a status of "notapplicable".
How can I run these?

Re: Running Openscap scans

Posted: 2019/12/09 18:20:00
by teknohippie
I find myself facing this same issue.
Has anyone else encountered this or discovered a solution?

Re: Running Openscap scans

Posted: 2019/12/12 14:55:49
by FtEustis
I'm having the same issue, and would love to figure it out. So far I've learned it has something to do with CPE, and how OSCAP is looking for RHEL 7 while running the DISA content. Still searching.

Re: Running Openscap scans

Posted: 2020/03/30 06:36:00
by fassl
The nuclear option is to do the following:

Code: Select all

sudo sed -i \
  -e 's|idref="cpe:/o:redhat:enterprise_linux|idref="cpe:/o:centos:centos|g' \
  -e 's|ref_id="cpe:/o:redhat:enterprise_linux|ref_id="cpe:/o:centos:centos|g' \
  /usr/share/xml/scap/ssg/content/ssg-rhel*.xml
It seems the tests are set explicitly for redhat:enterprise_linux but i cannot be sure.

regards

Re: Running Openscap scans

Posted: 2020/03/30 12:57:31
by fassl
I just found this: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and when you get the source code you can build them yourself with:

Code: Select all

./build_product --derivatives rhel?