search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Alinux 3 OpenSCAP scanning not working #12401

Open blackbrownco opened 2 months ago

blackbrownco commented 2 months ago

Description of problem:

All of the scan result using ssg-alinux3-xccdf.xml with profile xccdf_org.ssgproject.content_profile_cis resulting not applicable for all items.

image

SCAP Security Guide Version:

0.1.74

Operating System Version:

VERSION="3 (OpenAnolis Edition)" ID="alinux" ID_LIKE="rhel fedora centos anolis" VERSION_ID="3" VARIANT="OpenAnolis Edition" VARIANT_ID="openanolis" ALINUX_MINOR_ID="2104" ALINUX_UPDATE_ID="10" PLATFORM_ID="platform:al8" PRETTY_NAME="Alibaba Cloud Linux 3.2104 U10 (OpenAnolis Edition)" ANSI_COLOR="0;31" HOME_URL="https://www.aliyun.com/"

Steps to Reproduce:

  1. install necessary package openscap-scanner and scap-security-guide but the ssg for alinux was not found
  2. download the ssg from https://github.com/ComplianceAsCode/content but the ssg-alinux3-xccdf.xml also was not found
  3. import the ssg-alinux3-xccdf.xml from ubuntu system that installed ssg-applications ssg-base ssg-nondebian
  4. run the oscap xccdf eval with profile xccdf_org.ssgproject.content_profile_cis and point to ssg-alinux3-xccdf.xml stored
  5. all of the items were not scanned

Actual Results:

image

Additional Information

When scan using ssg-alinux-ds.xml the scanner is working and I managed to get the report

dodys commented 2 months ago

Hi @blackbrownco,

Regarding your steps to reproduce:

  1. On step 2, you need to build the product to get the ssg-alinux3-xccdf.xml that you are looking for. It is not stored in the repo, but a result of the product build. Therefore running something like: ./build_product -j4 alinux3 will generate a ./build/ssg-alinux3-xccdf.xml
  2. On step number 4 it was not clear, did you run the eval in a alinux machine or on ubuntu? Because the not-applicable results from the image suggested that you ran against ubuntu and not against alinux. If you did run against alinux, then I would recommend running the same command but with the following parameters: --verbose INFO --verbose-log-file alinux3.log --oval-results That should make it easier to figure out what's happening.
blackbrownco commented 2 months ago

Hi @dodys thanks for your reply

  1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml
dodys commented 2 months ago

Hi @dodys thanks for your reply

1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml

in the root of the project itself

blackbrownco commented 1 month ago

Hi @dodys , I have already built it with the binary found on this root of this project, this is the info image

the profile xccdf_org.ssgproject.content_profile_cis_l1 and xccdf_org.ssgproject.content_profile_cis weren't found

I also try to scan using the standard profile, but the results are not applicable image

hostnamectl

image

dodys commented 1 month ago

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

dodys commented 1 month ago

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

blackbrownco commented 1 month ago

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

blackbrownco commented 1 month ago

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well image

dodys commented 1 month ago

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

It was removed in the beginning of the year when alinux3 became EOL https://github.com/ComplianceAsCode/content/pull/11486

dodys commented 1 month ago

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well image

please add all the parameters I've mentioned