On 6/2/19 2:24 PM, Shawn Wells wrote: > Attempting to use the RHEL 8 data streams, but even 'oscap info' fails > using the latest release [0]: > >> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml >> Document type: Source Data Stream >> Imported: 2019-06-02T11:16:07 >> >> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml >> Generated: (null) >> Version: 1.3 >> Checklists: >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml >> WARNING: Datastream component >> 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' >> points out to the remote >> ' https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2';. >> Use '--fetch-remote-resources' option to download it. >> WARNING: Skipping >> ' https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' >> file which is referenced from datastream >> OpenSCAP Error: Could not extract >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies >> from datastream. [ds_sds_session.c:211] > > > Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to > SCAP 1.2 instead of 1.3? > > > [0] > https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/sca... > p.s. this also happens with upstream: $ ./build_product rhel8 $ oscap info build/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:51 Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211] The rhel8 1.2 datastream appears fine when using "oscap info," but using it also results in an error: > $ oscap info build/ssg-rhel8-ds.xml > Document type: Source Data Stream > Imported: 2019-06-02T14:27:50 > > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > Generated: (null) > Version: 1.2 > Checklists: > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > Status: draft > Generated: 2019-06-02 > Resolved: true > Profiles: > Title: Criminal Justice Information Services (CJIS) > Security Policy > Id: xccdf_org.ssgproject.content_profile_cjis > Title: Unclassified Information in Non-federal Information > Systems and Organizations (NIST 800-171) > Id: xccdf_org.ssgproject.content_profile_cui > Title: Health Insurance Portability and Accountability Act > (HIPAA) > Id: xccdf_org.ssgproject.content_profile_hipaa > Title: Protection Profile for General Purpose Operating > Systems > Id: xccdf_org.ssgproject.content_profile_ospp > Title: PCI-DSS v3.2.1 Control Baseline for Red Hat > Enterprise Linux 8 > Id: xccdf_org.ssgproject.content_profile_pci-dss > Title: Red Hat Corporate Profile for Certified Cloud > Providers (RH CCP) > Id: xccdf_org.ssgproject.content_profile_rht-ccp > Title: Standard System Security Profile for Red Hat > Enterprise Linux 8 > Id: xccdf_org.ssgproject.content_profile_standard > Referenced check files: > ssg-rhel8-oval.xml > system: http://oval.mitre.org/XMLSchema/oval-definitions-5 > ssg-rhel8-ocil.xml > system: http://scap.nist.gov/schema/ocil/2 > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml > system: http://oval.mitre.org/XMLSchema/oval-definitions-5 > Checks: > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml > Dictionaries: > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml > > $ sudo atomic scan --scan_type configuration_compliance --scanner_args > xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report > registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp > docker run -t --rm -v /etc/localtime:/etc/localtime -v > /run/atomic/2019-06-02-07-30-02-549130:/scanin -v > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z > -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan > --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan > --fix_type bash -j1 --xccdf-id > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile > xccdf_org.ssgproject.content_profile_ospp --report > > registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277) > > registry.redhat.io/ubi8/ubi-minimal is not supported for this scan. > > Files associated with this scan are in > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130. > _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...

On Jun 3, 2019, at 10:30 AM, Jan Cerny <jcerny(a)redhat.com&gt; wrote: Hi Shawn, It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it can't pick the RHEL 8 datastream that you added to the container. However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it means customers won't be able to scan RHEL 8 - based containers on RHEL 7 hosts anyway. Regards Yikes - so there is no possible way to scan RHEL8 systems? how soon will that bug be fixed? On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells <shawn(a)redhat.com&gt; wrote: > > On 6/2/19 2:24 PM, Shawn Wells wrote: > > Attempting to use the RHEL 8 data streams, but even 'oscap info' fails > > using the latest release [0]: > > > >> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml > >> Document type: Source Data Stream > >> Imported: 2019-06-02T11:16:07 > >> > >> Stream: > scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > >> Generated: (null) > >> Version: 1.3 > >> Checklists: > >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > >> WARNING: Datastream component > >> > 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' > >> points out to the remote > >> ' > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2';. > > >> Use '--fetch-remote-resources' option to download it. > >> WARNING: Skipping > >> ' > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' > >> file which is referenced from datastream > >> OpenSCAP Error: Could not extract > >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies > >> from datastream. [ds_sds_session.c:211] > > > > > > Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to > > SCAP 1.2 instead of 1.3? > > > > > > [0] > > > https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/sca... > > > > > p.s. this also happens with upstream: > > $ ./build_product rhel8 > $ oscap info build/ssg-rhel8-ds-1.3.xml > Document type: Source Data Stream > Imported: 2019-06-02T14:27:51 > > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > Generated: (null) > Version: 1.3 > Checklists: > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > WARNING: Datastream component > 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' > points out to the remote > 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. > Use '--fetch-remote-resources' option to download it. > WARNING: Skipping > 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' > file which is referenced from datastream > OpenSCAP Error: Could not extract > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies > from datastream. [ds_sds_session.c:211] > > > The rhel8 1.2 datastream appears fine when using "oscap info," but using > it also results in an error: > > > $ oscap info build/ssg-rhel8-ds.xml > > Document type: Source Data Stream > > Imported: 2019-06-02T14:27:50 > > > > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > > Generated: (null) > > Version: 1.2 > > Checklists: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > > Status: draft > > Generated: 2019-06-02 > > Resolved: true > > Profiles: > > Title: Criminal Justice Information Services (CJIS) > > Security Policy > > Id: xccdf_org.ssgproject.content_profile_cjis > > Title: Unclassified Information in Non-federal Information > > Systems and Organizations (NIST 800-171) > > Id: xccdf_org.ssgproject.content_profile_cui > > Title: Health Insurance Portability and Accountability Act > > (HIPAA) > > Id: xccdf_org.ssgproject.content_profile_hipaa > > Title: Protection Profile for General Purpose Operating > > Systems > > Id: xccdf_org.ssgproject.content_profile_ospp > > Title: PCI-DSS v3.2.1 Control Baseline for Red Hat > > Enterprise Linux 8 > > Id: xccdf_org.ssgproject.content_profile_pci-dss > > Title: Red Hat Corporate Profile for Certified Cloud > > Providers (RH CCP) > > Id: xccdf_org.ssgproject.content_profile_rht-ccp > > Title: Standard System Security Profile for Red Hat > > Enterprise Linux 8 > > Id: xccdf_org.ssgproject.content_profile_standard > > Referenced check files: > > ssg-rhel8-oval.xml > > system: > http://oval.mitre.org/XMLSchema/oval-definitions-5 > > ssg-rhel8-ocil.xml > > system: http://scap.nist.gov/schema/ocil/2 > > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml > > system: > http://oval.mitre.org/XMLSchema/oval-definitions-5 > > Checks: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml > > Dictionaries: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml > > > > $ sudo atomic scan --scan_type configuration_compliance --scanner_args > > > xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report > > > registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp > > docker run -t --rm -v /etc/localtime:/etc/localtime -v > > /run/atomic/2019-06-02-07-30-02-549130:/scanin -v > > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z > > -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan > > --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan > > --fix_type bash -j1 --xccdf-id > > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile > > xccdf_org.ssgproject.content_profile_ospp --report > > > > registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277) > > > > registry.redhat.io/ubi8/ubi-minimal is not supported for this > scan. > > > > Files associated with this scan are in > > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130. > > > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide(a)lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe... > -- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe... _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...