This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.
SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.
SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.
- XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1]
- CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1]
- OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1]
- CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]
And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)
Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.
So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:
- Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
- Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.
Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS and we need to have a corrected OVAL test that validates we are on CentOS.
And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.
But you don't have to use GovReady. If you read the CentOS quick start in
the GovReady README, you will see link to a CentOS ssg-centos6-cpe-dictionary.xml
and ssg-centos6-cpe-oval.xml
file that make the necessary adjustments. You
just need to copy them to your local CentOS server and then correctly
specify their path when running OpenSCAP. Like so:
oscap xccdf eval --oval-results --profile server --cpe
scap/content/ssg-centos6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).
It's still kind of confusing for me. So I hope I have the above correct.
@deajan, if only it could be that easy :) OpenSCAP CORP does not define CentOS 8 CPE:
So, you still need to tweak
/usr/share/openscap/cpe/openscap-cpe-*.xml
and add CentOS 8 there. :(