Running Openscap scans

[droidus]

I am trying to run openscap scans. I tried the following:

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

and

Code: Select all

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

But they all return with a status of "notapplicable".
How can I run these?

[teknohippie]

I find myself facing this same issue.
Has anyone else encountered this or discovered a solution?

[FtEustis]

I'm having the same issue, and would love to figure it out. So far I've learned it has something to do with CPE, and how OSCAP is looking for RHEL 7 while running the DISA content. Still searching.

[fassl]

The nuclear option is to do the following:

Code: Select all

sudo sed -i \
  -e 's|idref="cpe:/o:redhat:enterprise_linux|idref="cpe:/o:centos:centos|g' \
  -e 's|ref_id="cpe:/o:redhat:enterprise_linux|ref_id="cpe:/o:centos:centos|g' \
  /usr/share/xml/scap/ssg/content/ssg-rhel*.xml

It seems the tests are set explicitly for redhat:enterprise_linux but i cannot be sure.

regards

[fassl]

I just found this: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and when you get the source code you can build them yourself with:

Code: Select all

./build_product --derivatives rhel?

[popsec]

I'm encountering the exact same issue as droidus. I can execute the scan, but all results in the console and in the report are showing as not applicable. Has anyone found a solution to this? I just downloaded the security content this morning and the CPE dictionary for rhel8 includes CentOS as fassl mentioned, but still every finding is not applicable.