Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Explanation of SCAP, CentOS and tests Not Applicable

This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.

SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.

SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.

  • XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1]
  • CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1]
  • OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1]
  • CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]

And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)

Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:

  1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
  2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.

Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS and we need to have a corrected OVAL test that validates we are on CentOS.

And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.

But you don't have to use GovReady. If you read the CentOS quick start in the GovReady README, you will see link to a CentOS ssg-centos6-cpe-dictionary.xml and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You just need to copy them to your local CentOS server and then correctly specify their path when running OpenSCAP. Like so:

oscap xccdf eval --oval-results --profile server --cpe
scap/content/ssg-centos6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).

It's still kind of confusing for me. So I hope I have the above correct.

@karthiknannapaneni

This comment has been minimized.

Copy link

@karthiknannapaneni karthiknannapaneni commented Sep 26, 2018

Does it support Amazon Linux?

@pfandl

This comment has been minimized.

Copy link

@pfandl pfandl commented Mar 28, 2020

EDIT: Please ignore this, see post below.

Hello,

thanks for the information you shared here, it helped me create a script to fix it for me on CentOS 8.

I didn't have to specify the dictionary this way as the script fixed the path and I could use

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

to create a report for the "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)" profile.
Well at least it fixed the "notapplicable" result, I still have to check if it actually worked, but I thought
i'll share this nethertheless.

best regards

https://gist.github.com/pfandl/bcd638a633a44f222e9b4ddd4c079d62

@pfandl

This comment has been minimized.

Copy link

@pfandl pfandl commented Mar 30, 2020

Actually you can just download them from here: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and you can build the source with ./build_product --derivatives rhel? to get them as well.

@kfiresmith

This comment has been minimized.

Copy link

@kfiresmith kfiresmith commented May 4, 2020

After the better part of a couple days looking into OpenSCAP for 800-171, it looks like the state of SCAP for anything outside of RHEL, including CentOS and Ubuntu is just a tragedy. And it's been years and years in the making. Just dreadful.

@deajan

This comment has been minimized.

Copy link

@deajan deajan commented Sep 14, 2020

For whoever wants this to work on CentOS 8, it's way easier to install the ssg profiles from the OpenSCAP COPR repo:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide

You'll find the corresponding profiles in /usr/share/xml/scap/ssg/content/ssg-centos*-ds.xml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.