Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Explanation of SCAP, CentOS and tests Not Applicable

This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.

SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.

SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.

  • XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1]
  • CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1]
  • OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1]
  • CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]

And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)

Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:

  1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
  2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.

Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS and we need to have a corrected OVAL test that validates we are on CentOS.

And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.

But you don't have to use GovReady. If you read the CentOS quick start in the GovReady README, you will see link to a CentOS ssg-centos6-cpe-dictionary.xml and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You just need to copy them to your local CentOS server and then correctly specify their path when running OpenSCAP. Like so:

oscap xccdf eval --oval-results --profile server --cpe
scap/content/ssg-centos6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).

It's still kind of confusing for me. So I hope I have the above correct.

@karthiknannapaneni

This comment has been minimized.

Copy link

@karthiknannapaneni karthiknannapaneni commented Sep 26, 2018

Does it support Amazon Linux?

@pfandl

This comment has been minimized.

Copy link

@pfandl pfandl commented Mar 28, 2020

EDIT: Please ignore this, see post below.

Hello,

thanks for the information you shared here, it helped me create a script to fix it for me on CentOS 8.

I didn't have to specify the dictionary this way as the script fixed the path and I could use

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

to create a report for the "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)" profile.
Well at least it fixed the "notapplicable" result, I still have to check if it actually worked, but I thought
i'll share this nethertheless.

best regards

https://gist.github.com/pfandl/bcd638a633a44f222e9b4ddd4c079d62

@pfandl

This comment has been minimized.

Copy link

@pfandl pfandl commented Mar 30, 2020

Actually you can just download them from here: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and you can build the source with ./build_product --derivatives rhel? to get them as well.

@kfiresmith

This comment has been minimized.

Copy link

@kfiresmith kfiresmith commented May 4, 2020

After the better part of a couple days looking into OpenSCAP for 800-171, it looks like the state of SCAP for anything outside of RHEL, including CentOS and Ubuntu is just a tragedy. And it's been years and years in the making. Just dreadful.

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Sep 14, 2020

For whoever wants this to work on CentOS 8, it's way easier to install the ssg profiles from the OpenSCAP COPR repo:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide

You'll find the corresponding profiles in /usr/share/xml/scap/ssg/content/ssg-centos*-ds.xml

@galaxy4public

This comment has been minimized.

Copy link

@galaxy4public galaxy4public commented Nov 9, 2020

@deajan, if only it could be that easy :) OpenSCAP CORP does not define CentOS 8 CPE:

# dnf info openscap | fgrep 'From repo'
From repo    : copr:copr.fedorainfracloud.org:openscapmaint:openscap-latest
# oscap -V | fgrep Community
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
#

So, you still need to tweak /usr/share/openscap/cpe/openscap-cpe-*.xml and add CentOS 8 there. :(

@galaxy4public

This comment has been minimized.

Copy link

@galaxy4public galaxy4public commented Nov 9, 2020

I just submitted a PR to OpenSCAP: OpenSCAP/openscap#1622

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Nov 10, 2020

@galaxy4public This does not stop from using OpenSCAP for CentOS 8, ie, once COPR version of OpenSCAP is installed:

oscap info /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

oscap xccdf eval --profile=xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml
@galaxy4public

This comment has been minimized.

Copy link

@galaxy4public galaxy4public commented Nov 10, 2020

@deajan, yes it does since there are checks which query CPEs and fail if the system is undefined. I already submitted a PR to OpenSCAP and it got merged today, so CentOS 8 support will be available in all distros soon.

@chhabraamit

This comment has been minimized.

Copy link

@chhabraamit chhabraamit commented Jan 6, 2021

@deajan and @galaxy4public thanks for the tip.

I am getting lots of 'not_applicable' as verdicts though. Not sure if there is something I am doing wrong.

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Jan 13, 2021

not_applicable is new to CentOS 8.3, see https://bugs.centos.org/view.php?id=17996

The centos-release.rpm file has been renamed to centos-linux-release.rpm, hence the OVAL definitions do not match anymore.
Easiest solution is to patch the OVAL CPE file in /usr/share/openscap/cpe/openscap-cpe-oval.xml

Line 1226

            <rpmverifyfile_state id="oval:org.open-scap.cpe.rhel:ste:1008" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                  <name operation="pattern match">^centos-release|^centos-linux-release</name>
                  <version operation="pattern match">^8</version>
@JaumeGarciaU

This comment has been minimized.

Copy link

@JaumeGarciaU JaumeGarciaU commented Feb 25, 2021

@deajan with this modification i still have the same "not applicable" result, is there any other changes possible to fix this? maybe creating a personalized dictionary for centos 8?

@jasavatt

This comment has been minimized.

Copy link

@jasavatt jasavatt commented Feb 25, 2021

@JaumeGarciaU, try modifying the following files. I've found this to work for CentOS 7. Change the 7s to 8s for your situation.

/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
add
<xccdf-1.2:platform idref="cpe:/o:centos:centos:7"/>
after line
<xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:7"/>

/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml
add
<xccdf-1.2:platform idref="cpe:/o:centos:centos:7"/>
after line
<xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:7"/>

@JaumeGarciaU

This comment has been minimized.

Copy link

@JaumeGarciaU JaumeGarciaU commented Feb 25, 2021

@jasavatt doesn't seem to work in my case.. same "not applicable" result ):

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Feb 25, 2021

@JaumeGarciaU check what centos-release package name you have on your system and adjust the regex in my earlier comment accordingly.

@JaumeGarciaU

This comment has been minimized.

Copy link

@JaumeGarciaU JaumeGarciaU commented Mar 1, 2021

At the end i found the solution following these steps, this way i could define the centOS 8 platform so that the oscap does can detect it
https://bugs.centos.org/view.php?id=16717
Thank you all for your help and tips! (:

@galaxy4public

This comment has been minimized.

Copy link

@galaxy4public galaxy4public commented Mar 2, 2021

@JaumeGarciaU, I actually submitted that change (you referring to) upstream and it got merged. However, with the announcement that CentOS becomes a rolling release they broke the detection through the centos-release package and until a fix for that is also submitted upstream, manual changes would still be needed.

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Mar 3, 2021

Since my last patch does not work anymore, here's the easy openscap way for CentOS 8.3 fix based on @galaxy4public PR:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide
cp /usr/share/openscap/cpe/openscap-cpe-dict.xml /usr`
/share/openscap/cpe/openscap-cpe-dict.xml.dist
cp /usr/share/openscap/cpe/openscap-cpe-oval.xml /usr/share/openscap/cpe/openscap-cpe-oval.xml.dist
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-dict.xml -o /usr/share/openscap/cpe/openscap-cpe-dict.xml
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-oval.xml -o /usr/share/openscap/cpe/openscap-cpe-oval.xml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment