Wrong SCAP security policy interface on Centos 8.1.1911

Support for security such as Firewalls and securing linux
Post Reply
Ricky Tigg
Posts: 2
Joined: 2020/04/06 14:42:55

Wrong SCAP security policy interface on Centos 8.1.1911

Post by Ricky Tigg » 2020/04/06 16:12:04

Tested on QEMU-KVM virtual machine with CentOS-8.1.1911-x86_64-dvd1.iso, CentOS-8.1.1911-x86_64-boot.iso files.

Interface illustrated in centos_8_anaconda_installer_SCAP.png is occidentally not the one illustrated in RHEL 8.0_anaconda_installer_SCAP.png. That indicates an issue. In first illustration, the specified policy has not been applied as there was no mention of matching arguments in file /root/initial-setup-ks.cfg.

Relevant information –from a Fedora system– to enable a security policy on Centos 8.1.1911:

Code: Select all

$ oscap info `rpm -ql scap-security-guide | grep 'centos8-ds.xml$'`
Document type: Source Data Stream
Imported: 2020-03-23T16:38:27

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
		Status: draft
		Generated: 2020-03-23
		Resolved: true
		Profiles:
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: Standard System Security Profile for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_standard
		Referenced check files:
			ssg-rhel8-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel8-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-data-oval-com.redhat.rhsa-RHEL8.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
	Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
Attachments
centos_8_anaconda_installer_SCAP.png
centos_8_anaconda_installer_SCAP.png (37.73 KiB) Viewed 248 times
rhelL 8.0_anaconda_installer_SCAP.png
rhelL 8.0_anaconda_installer_SCAP.png (140.66 KiB) Viewed 248 times

User avatar
TrevorH
Forum Moderator
Posts: 28514
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Wrong SCAP security policy interface on Centos 8.1.1911

Post by TrevorH » 2020/04/06 16:42:12

Please raise a bug on bugs.centos.org to report this though as far as I am aware, the security profile is intentionally unsupported on CentOS.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Ricky Tigg
Posts: 2
Joined: 2020/04/06 14:42:55

Re: Wrong SCAP security policy interface on Centos 8.1.1911

Post by Ricky Tigg » 2020/04/08 15:11:29

CentOS-8.1.1911-x86_64-dvd1.iso file (size 7,6 GB), which is assumed to contain all available SCAP content definitions. is therefore suitable to apply a model illustrated in Kickstart by the following arguments, as an installation relying on that file do not rely on an established network connection.

%addon org_fedora_oscap
content-type = scap-security-guide
%end


That specified add-on makes use of content provided by the scap-security-guide package, which is also assumed present on the boot media. Here are values reported as unsupported:
  • scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml, though a valid data stream;
  • scap-security-guide
Therefore the interface to come next when a value was recognized as valid, cannot be reached. That is what wrong interface aimed to express. Valid values, data stream content or URL archive if not both, require an established network connection to reach content definitions in a remote location, which is confirmed by the presence of the Fetch button.

Post Reply

Return to “CentOS 8 - Security Support”