Hi Shawn,
In atomic scan it isn't possible to scan RHEL8 containers.
But you can download the content from upstream and use `oscap-docker`, eg.:
oscap-docker image ubi8/ubi-minimal xccdf eval --fetch-remote-resources
--profile ospp scap-security-guide-0.1.44/ssg-rhel8-ds-1.3.xml
This works for me on RHEL 7. For the 1.3 datastreams, you have to provide
--fetch-remote-resources option, due to
Regards
On Mon, Jun 3, 2019 at 10:40 AM Shawn Wells <shawn(a)redhat.com> wrote:
On Jun 3, 2019, at 10:30 AM, Jan Cerny <jcerny(a)redhat.com> wrote:
Hi Shawn,
It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it
can't pick the RHEL 8 datastream that you added to the container.
However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it
means customers won't be able to scan RHEL 8 - based containers on RHEL 7
hosts anyway.
Regards
Yikes - so there is no possible way to scan RHEL8 systems? how soon will
that bug be fixed?
On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells <shawn(a)redhat.com> wrote:
>
> On 6/2/19 2:24 PM, Shawn Wells wrote:
> > Attempting to use the RHEL 8 data streams, but even 'oscap info' fails
> > using the latest release [0]:
> >
> >> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml
> >> Document type: Source Data Stream
> >> Imported: 2019-06-02T11:16:07
> >>
> >> Stream:
> scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
> >> Generated: (null)
> >> Version: 1.3
> >> Checklists:
> >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
> >> WARNING: Datastream component
> >>
> 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
> >> points out to the remote
> >> '
>
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2';.
>
> >> Use '--fetch-remote-resources' option to download it.
> >> WARNING: Skipping
> >> '
>
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'
> >> file which is referenced from datastream
> >> OpenSCAP Error: Could not extract
> >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies
> >> from datastream. [ds_sds_session.c:211]
> >
> >
> > Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to
> > SCAP 1.2 instead of 1.3?
> >
> >
> > [0]
> >
>
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/sca...
> >
>
>
> p.s. this also happens with upstream:
>
> $ ./build_product rhel8
> $ oscap info build/ssg-rhel8-ds-1.3.xml
> Document type: Source Data Stream
> Imported: 2019-06-02T14:27:51
>
> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
> Generated: (null)
> Version: 1.3
> Checklists:
> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
> WARNING: Datastream component
> 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml'
> points out to the remote
> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'.
> Use '--fetch-remote-resources' option to download it.
> WARNING: Skipping
> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'
> file which is referenced from datastream
> OpenSCAP Error: Could not extract
> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies
> from datastream. [ds_sds_session.c:211]
>
>
> The rhel8 1.2 datastream appears fine when using "oscap info," but using
> it also results in an error:
>
> > $ oscap info build/ssg-rhel8-ds.xml
> > Document type: Source Data Stream
> > Imported: 2019-06-02T14:27:50
> >
> > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
> > Generated: (null)
> > Version: 1.2
> > Checklists:
> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
> > Status: draft
> > Generated: 2019-06-02
> > Resolved: true
> > Profiles:
> > Title: Criminal Justice Information Services (CJIS)
> > Security Policy
> > Id: xccdf_org.ssgproject.content_profile_cjis
> > Title: Unclassified Information in Non-federal Information
> > Systems and Organizations (NIST 800-171)
> > Id: xccdf_org.ssgproject.content_profile_cui
> > Title: Health Insurance Portability and Accountability Act
> > (HIPAA)
> > Id: xccdf_org.ssgproject.content_profile_hipaa
> > Title: Protection Profile for General Purpose Operating
> > Systems
> > Id: xccdf_org.ssgproject.content_profile_ospp
> > Title: PCI-DSS v3.2.1 Control Baseline for Red Hat
> > Enterprise Linux 8
> > Id: xccdf_org.ssgproject.content_profile_pci-dss
> > Title: Red Hat Corporate Profile for Certified Cloud
> > Providers (RH CCP)
> > Id: xccdf_org.ssgproject.content_profile_rht-ccp
> > Title: Standard System Security Profile for Red Hat
> > Enterprise Linux 8
> > Id: xccdf_org.ssgproject.content_profile_standard
> > Referenced check files:
> > ssg-rhel8-oval.xml
> > system:
>
http://oval.mitre.org/XMLSchema/oval-definitions-5
> > ssg-rhel8-ocil.xml
> > system:
http://scap.nist.gov/schema/ocil/2
> >
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
> > system:
>
http://oval.mitre.org/XMLSchema/oval-definitions-5
> > Checks:
> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
> > Dictionaries:
> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
> >
> > $ sudo atomic scan --scan_type configuration_compliance --scanner_args
> >
>
xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report
>
> > registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp
> > docker run -t --rm -v /etc/localtime:/etc/localtime -v
> > /run/atomic/2019-06-02-07-30-02-549130:/scanin -v
> > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z
> > -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan
> > --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan
> > --fix_type bash -j1 --xccdf-id
> > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile
> > xccdf_org.ssgproject.content_profile_ospp --report
> >
> > registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)
> >
> > registry.redhat.io/ubi8/ubi-minimal is not supported for this
> scan.
> >
> > Files associated with this scan are in
> > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.
> >
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Jan Černý
Security Technologies | Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...