Skip to content

Instantly share code, notes, and snippets.

@gregelin

gregelin/SCAP-CentOS-NotApplicable.md

Last active February 22, 2022 21:50
Show Gist options
  • Star 16 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save gregelin/f94ba31f004ca4acea87 to your computer and use it in GitHub Desktop.
Save gregelin/f94ba31f004ca4acea87 to your computer and use it in GitHub Desktop.
Download ZIP
Explanation of SCAP, CentOS and tests Not Applicable
Raw
SCAP-CentOS-NotApplicable.md

This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.

SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.

SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.

  • XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1]
  • CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1]
  • OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1]
  • CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]

And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)

Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:

  1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
  2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.

Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS and we need to have a corrected OVAL test that validates we are on CentOS.

And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.

But you don't have to use GovReady. If you read the CentOS quick start in the GovReady README, you will see link to a CentOS ssg-centos6-cpe-dictionary.xml and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You just need to copy them to your local CentOS server and then correctly specify their path when running OpenSCAP. Like so:

oscap xccdf eval --oval-results --profile server --cpe
scap/content/ssg-centos6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).

It's still kind of confusing for me. So I hope I have the above correct.

@JaumeGarciaU
Copy link

@jasavatt doesn't seem to work in my case.. same "not applicable" result ):

@deajan
Copy link

deajan commented Feb 25, 2021

@JaumeGarciaU check what centos-release package name you have on your system and adjust the regex in my earlier comment accordingly.

@JaumeGarciaU
Copy link

At the end i found the solution following these steps, this way i could define the centOS 8 platform so that the oscap does can detect it
https://bugs.centos.org/view.php?id=16717
Thank you all for your help and tips! (:

@galaxy4public
Copy link

@JaumeGarciaU, I actually submitted that change (you referring to) upstream and it got merged. However, with the announcement that CentOS becomes a rolling release they broke the detection through the centos-release package and until a fix for that is also submitted upstream, manual changes would still be needed.

@deajan
Copy link

deajan commented Mar 3, 2021
edited

Since my last patch does not work anymore, here's the easy openscap way for CentOS 8.3 fix based on @galaxy4public PR:

dnf copr enable openscapmaint/openscap-latest
dnf install openscap-scanner scap-security-guide
cp /usr/share/openscap/cpe/openscap-cpe-dict.xml /usr`
/share/openscap/cpe/openscap-cpe-dict.xml.dist
cp /usr/share/openscap/cpe/openscap-cpe-oval.xml /usr/share/openscap/cpe/openscap-cpe-oval.xml.dist
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-dict.xml -o /usr/share/openscap/cpe/openscap-cpe-dict.xml
curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-oval.xml -o /usr/share/openscap/cpe/openscap-cpe-oval.xml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment