Hi Shawn, In atomic scan it isn't possible to scan RHEL8 containers.
But you can download the content from upstream and use `oscap-docker`, eg.: oscap-docker image ubi8/ubi-minimal xccdf eval --fetch-remote-resources --profile ospp scap-security-guide-0.1.44/ssg-rhel8-ds-1.3.xml This works for me on RHEL 7. For the 1.3 datastreams, you have to provide --fetch-remote-resources option, due to https://bugzilla.redhat.com/show_bug.cgi?id=1709423 Regards On Mon, Jun 3, 2019 at 10:40 AM Shawn Wells <sh...@redhat.com> wrote: > > > On Jun 3, 2019, at 10:30 AM, Jan Cerny <jce...@redhat.com> wrote: > > Hi Shawn, > > It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it > can't pick the RHEL 8 datastream that you added to the container. > However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it > means customers won't be able to scan RHEL 8 - based containers on RHEL 7 > hosts anyway. > > Regards > > > Yikes - so there is no possible way to scan RHEL8 systems? how soon will > that bug be fixed? > > > > On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells <sh...@redhat.com> wrote: > >> >> On 6/2/19 2:24 PM, Shawn Wells wrote: >> > Attempting to use the RHEL 8 data streams, but even 'oscap info' fails >> > using the latest release [0]: >> > >> >> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml >> >> Document type: Source Data Stream >> >> Imported: 2019-06-02T11:16:07 >> >> >> >> Stream: >> scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml >> >> Generated: (null) >> >> Version: 1.3 >> >> Checklists: >> >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml >> >> WARNING: Datastream component >> >> >> 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' >> >> points out to the remote >> >> ' >> https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. >> >> >> Use '--fetch-remote-resources' option to download it. >> >> WARNING: Skipping >> >> ' >> https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' >> >> file which is referenced from datastream >> >> OpenSCAP Error: Could not extract >> >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies >> >> from datastream. [ds_sds_session.c:211] >> > >> > >> > Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to >> > SCAP 1.2 instead of 1.3? >> > >> > >> > [0] >> > >> https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-security-guide-0.1.44-redhat-SCAP-1.3.zip >> > >> >> >> p.s. this also happens with upstream: >> >> $ ./build_product rhel8 >> $ oscap info build/ssg-rhel8-ds-1.3.xml >> Document type: Source Data Stream >> Imported: 2019-06-02T14:27:51 >> >> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml >> Generated: (null) >> Version: 1.3 >> Checklists: >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml >> WARNING: Datastream component >> 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' >> points out to the remote >> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. >> Use '--fetch-remote-resources' option to download it. >> WARNING: Skipping >> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' >> file which is referenced from datastream >> OpenSCAP Error: Could not extract >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies >> from datastream. [ds_sds_session.c:211] >> >> >> The rhel8 1.2 datastream appears fine when using "oscap info," but using >> it also results in an error: >> >> > $ oscap info build/ssg-rhel8-ds.xml >> > Document type: Source Data Stream >> > Imported: 2019-06-02T14:27:50 >> > >> > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml >> > Generated: (null) >> > Version: 1.2 >> > Checklists: >> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml >> > Status: draft >> > Generated: 2019-06-02 >> > Resolved: true >> > Profiles: >> > Title: Criminal Justice Information Services (CJIS) >> > Security Policy >> > Id: xccdf_org.ssgproject.content_profile_cjis >> > Title: Unclassified Information in Non-federal Information >> > Systems and Organizations (NIST 800-171) >> > Id: xccdf_org.ssgproject.content_profile_cui >> > Title: Health Insurance Portability and Accountability Act >> > (HIPAA) >> > Id: xccdf_org.ssgproject.content_profile_hipaa >> > Title: Protection Profile for General Purpose Operating >> > Systems >> > Id: xccdf_org.ssgproject.content_profile_ospp >> > Title: PCI-DSS v3.2.1 Control Baseline for Red Hat >> > Enterprise Linux 8 >> > Id: xccdf_org.ssgproject.content_profile_pci-dss >> > Title: Red Hat Corporate Profile for Certified Cloud >> > Providers (RH CCP) >> > Id: xccdf_org.ssgproject.content_profile_rht-ccp >> > Title: Standard System Security Profile for Red Hat >> > Enterprise Linux 8 >> > Id: xccdf_org.ssgproject.content_profile_standard >> > Referenced check files: >> > ssg-rhel8-oval.xml >> > system: >> http://oval.mitre.org/XMLSchema/oval-definitions-5 >> > ssg-rhel8-ocil.xml >> > system: http://scap.nist.gov/schema/ocil/2 >> > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml >> > system: >> http://oval.mitre.org/XMLSchema/oval-definitions-5 >> > Checks: >> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml >> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml >> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml >> > Dictionaries: >> > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml >> > >> > $ sudo atomic scan --scan_type configuration_compliance --scanner_args >> > >> xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report >> >> > registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp >> > docker run -t --rm -v /etc/localtime:/etc/localtime -v >> > /run/atomic/2019-06-02-07-30-02-549130:/scanin -v >> > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z >> > -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan >> > --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan >> > --fix_type bash -j1 --xccdf-id >> > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile >> > xccdf_org.ssgproject.content_profile_ospp --report >> > >> > registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277) >> > >> > registry.redhat.io/ubi8/ubi-minimal is not supported for this >> scan. >> > >> > Files associated with this scan are in >> > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130. >> > >> >> _______________________________________________ >> scap-security-guide mailing list -- >> scap-security-guide@lists.fedorahosted.org >> To unsubscribe send an email to >> scap-security-guide-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org >> > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > -- Jan Černý Security Technologies | Red Hat, Inc.
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
