Skip to content

Instantly share code, notes, and snippets.

@gregelin
Last active February 22, 2022 21:50
  • Star 16 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save gregelin/f94ba31f004ca4acea87 to your computer and use it in GitHub Desktop.
Explanation of SCAP, CentOS and tests Not Applicable

This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.

SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.

SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.

  • XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1]
  • CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1]
  • OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1]
  • CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]

And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)

Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:

  1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
  2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.

Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS and we need to have a corrected OVAL test that validates we are on CentOS.

And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.

But you don't have to use GovReady. If you read the CentOS quick start in the GovReady README, you will see link to a CentOS ssg-centos6-cpe-dictionary.xml and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You just need to copy them to your local CentOS server and then correctly specify their path when running OpenSCAP. Like so:

oscap xccdf eval --oval-results --profile server --cpe
scap/content/ssg-centos6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).

It's still kind of confusing for me. So I hope I have the above correct.

@karthiknannapaneni
Copy link

Does it support Amazon Linux?

@pfandl
Copy link

pfandl commented Mar 28, 2020

EDIT: Please ignore this, see post below.

Hello,

thanks for the information you shared here, it helped me create a script to fix it for me on CentOS 8.

I didn't have to specify the dictionary this way as the script fixed the path and I could use

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

to create a report for the "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)" profile.
Well at least it fixed the "notapplicable" result, I still have to check if it actually worked, but I thought
i'll share this nethertheless.

best regards

https://gist.github.com/pfandl/bcd638a633a44f222e9b4ddd4c079d62

@pfandl
Copy link

pfandl commented Mar 30, 2020

Actually you can just download them from here: https://github.com/ComplianceAsCode/content/releases

The releases contain centos xmls and you can build the source with ./build_product --derivatives rhel? to get them as well.

@kfiresmith
Copy link

After the better part of a couple days looking into OpenSCAP for 800-171, it looks like the state of SCAP for anything outside of RHEL, including CentOS and Ubuntu is just a tragedy. And it's been years and years in the making. Just dreadful.

@deajan
Copy link

deajan commented Sep 14, 2020

For whoever wants this to work on CentOS 8, it's way easier to install the ssg profiles from the OpenSCAP COPR repo:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide

You'll find the corresponding profiles in /usr/share/xml/scap/ssg/content/ssg-centos*-ds.xml

@galaxy4public
Copy link

@deajan, if only it could be that easy :) OpenSCAP CORP does not define CentOS 8 CPE:

# dnf info openscap | fgrep 'From repo'
From repo    : copr:copr.fedorainfracloud.org:openscapmaint:openscap-latest
# oscap -V | fgrep Community
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
#

So, you still need to tweak /usr/share/openscap/cpe/openscap-cpe-*.xml and add CentOS 8 there. :(

@galaxy4public
Copy link

I just submitted a PR to OpenSCAP: OpenSCAP/openscap#1622

@deajan
Copy link

deajan commented Nov 10, 2020

@galaxy4public This does not stop from using OpenSCAP for CentOS 8, ie, once COPR version of OpenSCAP is installed:

oscap info /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

oscap xccdf eval --profile=xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

@galaxy4public
Copy link

@deajan, yes it does since there are checks which query CPEs and fail if the system is undefined. I already submitted a PR to OpenSCAP and it got merged today, so CentOS 8 support will be available in all distros soon.

@chhabraamit
Copy link

@deajan and @galaxy4public thanks for the tip.

I am getting lots of 'not_applicable' as verdicts though. Not sure if there is something I am doing wrong.

@deajan
Copy link

deajan commented Jan 13, 2021

not_applicable is new to CentOS 8.3, see https://bugs.centos.org/view.php?id=17996

The centos-release.rpm file has been renamed to centos-linux-release.rpm, hence the OVAL definitions do not match anymore.
Easiest solution is to patch the OVAL CPE file in /usr/share/openscap/cpe/openscap-cpe-oval.xml

Line 1226

            <rpmverifyfile_state id="oval:org.open-scap.cpe.rhel:ste:1008" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                  <name operation="pattern match">^centos-release|^centos-linux-release</name>
                  <version operation="pattern match">^8</version>

@JaumeGarciaU
Copy link

@deajan with this modification i still have the same "not applicable" result, is there any other changes possible to fix this? maybe creating a personalized dictionary for centos 8?

@jasavatt
Copy link

@JaumeGarciaU, try modifying the following files. I've found this to work for CentOS 7. Change the 7s to 8s for your situation.

/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
add
<xccdf-1.2:platform idref="cpe:/o:centos:centos:7"/>
after line
<xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:7"/>

/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml
add
<xccdf-1.2:platform idref="cpe:/o:centos:centos:7"/>
after line
<xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux:7"/>

@JaumeGarciaU
Copy link

@jasavatt doesn't seem to work in my case.. same "not applicable" result ):

@deajan
Copy link

deajan commented Feb 25, 2021

@JaumeGarciaU check what centos-release package name you have on your system and adjust the regex in my earlier comment accordingly.

@JaumeGarciaU
Copy link

At the end i found the solution following these steps, this way i could define the centOS 8 platform so that the oscap does can detect it
https://bugs.centos.org/view.php?id=16717
Thank you all for your help and tips! (:

@galaxy4public
Copy link

@JaumeGarciaU, I actually submitted that change (you referring to) upstream and it got merged. However, with the announcement that CentOS becomes a rolling release they broke the detection through the centos-release package and until a fix for that is also submitted upstream, manual changes would still be needed.

@deajan
Copy link

deajan commented Mar 3, 2021

Since my last patch does not work anymore, here's the easy openscap way for CentOS 8.3 fix based on @galaxy4public PR:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide
cp /usr/share/openscap/cpe/openscap-cpe-dict.xml /usr`
/share/openscap/cpe/openscap-cpe-dict.xml.dist
cp /usr/share/openscap/cpe/openscap-cpe-oval.xml /usr/share/openscap/cpe/openscap-cpe-oval.xml.dist
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-dict.xml -o /usr/share/openscap/cpe/openscap-cpe-dict.xml
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-oval.xml -o /usr/share/openscap/cpe/openscap-cpe-oval.xml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment