evgenyz
commented
3 years ago Most likely it belongs to CaC, but I'll leave it here until we will be sure.
Closed ichasco closed 3 years ago
evgenyz
commented
3 years ago Most likely it belongs to CaC, but I'll leave it here until we will be sure.
jan-cerny
commented
3 years ago Actually, it's a problem in both OpenSCAP and SSG. This particular use-case has to be fixed in SSG but the same problem is also in OpenSCAP embed CPE dict.
I have found that the applicability checks depends on centos-release package. On CentOS 8.3 centos-release has been replaced by centos-linux-release. The change seems to be related to the CentOS Stream initiative. The CentOS Stream features centos-stream-release instead.
evgenyz
commented
3 years ago Another argument for switching to /etc/os-release and textfilecontent58.
jan-cerny
commented
3 years ago @evgenyz Why? We always prefer to use rpm if possible
evgenyz
commented
3 years ago For starters, /etc/os-release is more or less standard and centos-release is definitely not. Then, what would you use for Arch Linux? Also, do you remember RHCOS problems with librpm?
ichasco
commented
3 years ago Is there any workaround to fix it for the moment?
Thanks :)
ggbecker
commented
3 years ago Is there any workaround to fix it for the moment?
Thanks :)
The quickest workaround would be to change in /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml lines such as:
<linux:rpminfo_object id="oval:ssg-obj_centos8:obj:1" version="1">
<linux:name>centos-release</linux:name>to
<linux:rpminfo_object id="oval:ssg-obj_centos8:obj:1" version="1">
<linux:name>centos-linux-release</linux:name>Is there any workaround to fix it for the moment? Thanks :)
The quickest workaround would be to change in
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xmllines such as:<linux:rpminfo_object id="oval:ssg-obj_centos8:obj:1" version="1"> <linux:name>centos-release</linux:name>to
<linux:rpminfo_object id="oval:ssg-obj_centos8:obj:1" version="1"> <linux:name>centos-linux-release</linux:name>
Perfect! It works. Thanks
guillemlc
commented
3 years ago I am finding the same issue with CentOS 8.4. The file is correctly already using /etc/os-release, but it still gives me a not-applicable for all tests
<ind:filepath>/etc/os-release</ind:filepath>
<ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="Check os-release VERSION_ID" id="oval:ssg-obj_version_centos8:obj:1" version="1">
<ind:filepath>/etc/os-release</ind:filepath>
<ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>```
For example:
```oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cui --fetch-remote-resources --report ssg-centos8-CIS-xccdf.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml ... ok
Title Install AIDE
Rule xccdf_org.ssgproject.content_rule_package_aide_installed
Ident CCE-80844-4
Result notapplicable
Same for all the other checks.
My /etc/os-release:
# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"```
MedDevSecGuru987
commented
2 years ago guillemlc Did you manage to run the scan on CentOS 8.4? If so, would you please share what you did?
Description of Problem:
Hi, with the update to Centos8.3, the scan doesn't detect the System. With Centos8.2 works
OpenSCAP Version:
Operating System & Version:
Steps to Reproduce:
Actual Results:
get notapplicable and ignore all rules
Expected Results:
apply the CPE
Thanks!! :)