Looking at the contents of ssg-al2023-ds.xml it appears that the version was made from the Fedora 35 package:
Inbuilt CPE names does not list al2023
ssg-al2023-ds.xml contains many findings for instance, gnome3, that will always fail.
Some findings do no make sense in relation to al2023, like:
3.1 Install the cron service
3.2 Specify a Remote NTP Server (ntpd is not used by default)
3.3 Disable Mounting of vFAT filesystems
3.4 Ensure syslog-ng is Installed / Enable rsyslog Service
3.5 Verify ufw Enabled
3.6 Enable the USBGuard Service.
3.7 Disable XDMCP in GDM
3.8 Disable Kernel iwlwifi Module
Can Items like:
"Disable IEEE 1394 (FireWire) Support"
"Disable Bluetooth Kernel Module"
"Disable iwlwifi"
not be implemented by default as they would probably never be used (even if used onprem, then can be enabled)?
I've included an HTML report from one of my test hosts for your reference. It would be more beneficial if the results closely align with the majority of our 2023 installations and only highlight items that need addressing to enhance instance security. Reviewing false positives can lead to mistakes and demotivate security teams needing to harden hosts based on the report findings.
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35
Looking at the contents of
ssg-al2023-ds.xmlit appears that the version was made from the Fedora 35 package:Can Items like: "Disable IEEE 1394 (FireWire) Support" "Disable Bluetooth Kernel Module" "Disable iwlwifi" not be implemented by default as they would probably never be used (even if used onprem, then can be enabled)?
I've included an HTML report from one of my test hosts for your reference. It would be more beneficial if the results closely align with the majority of our 2023 installations and only highlight items that need addressing to enhance instance security. Reviewing false positives can lead to mistakes and demotivate security teams needing to harden hosts based on the report findings.
oscap --v
ssg-scan-oval-report.zip