Questions tagged [openscap]
Open source suite of SCAP tools
60 questions
0 votes
0 answers
32 views
What OSCAP XML content files are used for scanning Alpine Linux containers?
I have found some references around that debian is a close example to Alpine Linux, but the xml file is full of debian references/commands, so it's going to fail testing against a different OS flavor. ...
- 1
2 votes
0 answers
92 views
How to scan multiple devices using OpenSCAP [closed]
I am new to OpenSCAP and have been testing it on a few devices in our network. My goal is to automate running OpenSCAP scans across multiple devices and generate reports that can be reviewed centrally....
1 vote
0 answers
143 views
OSCAP generate fix for single rule without running eval first
As it is written in the documentation, I can generate fix for the whole profile: oscap xccdf generate fix --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml > fix.sh If I want to ...
- 111
0 votes
0 answers
35 views
Issue running `oscap eval ...` using custom datastream with SCE script
I am trying to run oscap eval ... using a custom profile which should use SCE to execute a bash script which performs a custom check. After some initial issues I now believe we have a "correctly&...
0 votes
1 answer
709 views
Why is oscap claiming "notapplicable" for so many tests on Ubuntu 22?
My team is working on STIG hardening tools for Ubuntu 22 and we're using OpenSCAP to audit a system after hardening. We're seeing many tests result in notapplicable and don't understand why. I'm ...
- 101
0 votes
1 answer
419 views
Open SCAP (oscap) XPath error on RHEL9
Notes: The below command will run for a while, then error out. I have not had a chance to reboot the server yet. It will create the arf.xml, but it does not create the report.html. Does anyone have ...
- 3
0 votes
1 answer
124 views
Where can I find the results file(s) of the openscap anaconda addon (org_fedora_oscap) after RHEL8 installation?
I'm performing a RHEL8 installation using a kickstart file with the following addon defined: %addon org_fedora_oscap content-type = scap-security-guide datastream-id = scap_org.open-...
- 101
0 votes
1 answer
268 views
automate remediation of a headless RHEL 8.9 AMI with exclusions
I'm trying to automate remediation of a headless RHEL 8.9 AMI. What is the best way to remediate ALL but a specific subset of the STIG requirements? I.e., there are 4 STIG requirements that we know ...
0 votes
1 answer
130 views
Openscap scanner is incorrectly failing for a multiple DNS rule and I'm not sure why
I am trying to harden UBI 8 base images using the openscap tool. The scanner has a rule: xccdf_org.ssgproject.content_rule_network_configure_name_resolution which checks the /etc/resolv.conf file for ...
0 votes
1 answer
997 views
Looking for updated SSG for Amazon Linux 2 and Amazon Linux 2023
Are there any new data stream and xccdf checklist available for Amazon Linux 2 and Amazon Linux 2023? I am able to install the scap-security-guide on an Amazon Linux 2 server, but the data stream xml ...
- 1
0 votes
1 answer
247 views
OpenSCAP SCE script in Source DataStream file
I am new to OpenSCAP, and have a query about SCE scripts and the DataStream format. The SCE documentation for OpenSCAP states: The SCE scripts can be part of a Source DataStream. DataStream is a ...
0 votes
1 answer
715 views
Removing CIS Level 2 RH profile from Rocky Linux 9
I have selected the Redhat CIS server level security profile while installation and now I am seeing lot of restriction. I like to remove this security profile from my Rocky Linux 9. I have tested the ...
0 votes
1 answer
486 views
oscap-ssh scanning ubuntu22.04 Result notapplicable
please tell me if there are any options to check the workstation on ubuntu22.04 using openscap. I downloaded ssg for Ubuntu22.04, but when I try to check, I get a Result notapplicable on all points.......
- 1
1 vote
1 answer
98 views
Getting a "diff" of two different OSCAP releases?
I am trying to get a "diff" of the commands that are executed as part of applying different releases of the oscap-anaconda-addon, specifically the STIGs applied in RHEL 7.9 and in AlmaLinux ...
0 votes
1 answer
198 views
Can oscap tool be run on a container to scan the host VM?
Can the openscap's oscap tool be run on a container to scan the host VM? NOTE: It runs fine on the RHEL container (after install) Dockerfile FROM registry.access.redhat.com/ubi8/ubi:latest RUN yum -y ...
0 votes
1 answer
108 views
Does OpenSCAP have a feature to add comments on XCCDF scan findings?
I am new to OpenSCAP and I was wondering if OpenSCAP has a feature to add comments one could insert to XCCDF scan findings that could be updated and be viewed in reports? Is it also possible to add ...
- 1
0 votes
1 answer
623 views
OpenSCAP Workbench customize Datastream Files
When i try to tailoring this datastream file, i get following error: Opened file '/Applications/scap-workbench.app/Contents/Resources/ssg/ssg-rhel7-ds.xml'. Error while opening file. There was a ...
- 1
0 votes
1 answer
2k views
Ubuntu 20.04 CIS xccdf benchmarks
I was hoping that someone knew where to find xccdf files for Ubuntu 20.04 with CIS benchmarks to run with Openscap. It looks like the out-of-the-box Openscap only includes RHEL, firefox, and java. I ...
- 21
0 votes
1 answer
334 views
OpenScap scan results are false-positive
I recently ran the OpenScap Audit scan on a SLES 12 machine, and the result seems to be false-positive. Eg for these two checks : 1) Ensure sudo logfile exists - sudo logfile The description for this ...
- 1
0 votes
1 answer
191 views
oscap-chroot: offline mode is not supported by uname probe
We are trying to scan offline mounts using oscap-chroot on ubuntu 20 But we are getting following error: W: oscap: Requested offline mode is not supported by uname probe. Can you please help ...
0 votes
1 answer
709 views
How do I use a certain remediation shell script in SCAP Workbench
I am new to SCAP Workbench and I am trying it out for the first time. I was wondering how do I use the remediation shell script for just one issue.
- 1
0 votes
1 answer
97 views
Openscap on RHEL access to older policies?
Currently using Openscap on some RHEL8.6 servers. I have a need to use / check older policies. Currently the package comes with CIS Linux 8 Benchmark™, v2.0.0, released 2022-02-23 Is it possible to ...
- 998
1 vote
1 answer
205 views
Openscap CIS RHEL6 Profile unavailible?
I'm running Open-SCAP Workbench 1.2.0 on RHEL8.6 installed via dnf, rpm: openscap-1.3.6-3.el8.x86_64. While choosing a profile after loading the 'RHEL 6' content (an ssg-rhel6-xccdf.xml file located ...
- 21
0 votes
1 answer
458 views
Can OpenScap generate 1 report compiling multiple results?
Sample command to evaluate: $ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Sample command ...
- 3
1 vote
1 answer
173 views
specificity in root account email requirement (xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias)
The test for xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias is looking specifically for root: [email protected] in /etc/aliases and OpenSCAP remediation ...
- 11
2 votes
1 answer
516 views
writing your own openscap scan profile
I am currently checking the remote machine using the command oscap-ssh login@host 22 xccdf eval -- profile xccdf_org.ssgproject.content_profile_standart --report name.html. But the test templates don'...
0 votes
1 answer
966 views
Generating plain-text report in OpenSCAP
I have set up OpenSCAP for compliance testing. Right now I am generating xml and html reports. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_custom --results-arf results.xml --report ...
0 votes
1 answer
306 views
OpenScap Debian 10 Benchmarks
The lastest openscap package I downloaded for Debian 10 does not include a datastream or benchmark for Debian 10. The latest release they have is debian 8 and I get "Not Applicable" when ...
0 votes
1 answer
129 views
Issues using SCAP Workbench on Fedora 35
I have an issue with installing and running Flatpacks because I installed SCAP Workbench which changed my default system settings (Fedora 35).
1 vote
2 answers
1k views
OSCAP doesn't work for remediation on Ubuntu 18.04 install
my oscap for ubuntu 18.04 doesn't remediate with the commands or through the gui through the scap workbench oscap xccdf eval --remediate -profile profilename xmlfilename this checks and shows the ...
- 11
1 vote
2 answers
882 views
OpenSCAP ssh with keyfile
I would like to test a CentOS system with OpenSCAP run from my Windows PC. The problem is that I can ssh to the CentOS with keyfile only, as per company policy. I did not find whether SCAP workbench ...
0 votes
2 answers
277 views
STIG validation -> group policy or user setting?
I'm trying to determine if the enforcement of a STIG rule is driven solely by group policy, or user setting, or some combination of both. By this, I mean that when a STIG rule is flagged as failing, ...
- 101
1 vote
1 answer
921 views
How do I cross-reference OpenSCAP benchmarks to the CIS documentation?
I'm using the SCAP WorkBench, and have gone in to customize the CIS profile for RHEL 8. The benchmark items are clearly titled with things like "Modify the System Login Banner". The item ...
-1 votes
1 answer
48 views
Why Openshift 3 is missing from openscap static page?
I am trying to access https://static.open-scap.org/ssg-guides/ssg-ocp3-guide-index.html to understand some of the issues found in a scan but seems that this webpage is now missing. Anybody does know ...
- 101
0 votes
1 answer
191 views
OpenSCAP for SLES 15 docker container and/or image
I see from this page that it is possible to scan either a running RHEL 7 docker container or the docker image. Is this only possible for RHEL 7 or can it be done for other operating systems? ...
- 101
1 vote
1 answer
450 views
Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error
I am attempting to perform an OpenSCAP remediation through a chroot session. My command is structured as follows: oscap-chroot /mnt/chroot_fs \ xccdf eval \ --remediate \ --...
- 291
0 votes
1 answer
249 views
Anaconda openscap addon scan
I added openscap addon in kickstart. After the iso is installed, I run the scan on one vm with addon and one without addon. The scan results don't have much difference. For instance, passed 64 vs 61. ...
1 vote
0 answers
231 views
Build SCAP files from reference system
The current way of dealing with a SCAP configuration file is unwieldy. Let's look at the process as I read it in the documentation: Take a starting config file (CIS, DISA STIG, OpenSCAP reference) ...
- 31
0 votes
1 answer
225 views
remediation script for centos 7 throws syntax errors
thanks in advance. i am running a fresh download of openscap on centos7 (patched). it produces a remediation script, but the script throws an error repeatedly. its the same syntax issue many times ...
- 3
0 votes
1 answer
644 views
SCAP - Workbench on MAC (with Remote Machine option) - Failed to create SSH master socket
I'm running latest workbench: SCAP Workbench 1.2.1, compiled with Qt 5.13.2, using OpenSCAP 1.4.0 I can't run a scan on remote server using RHEL7 (DISA STIG profile - or any profile) because of a ...
- 1
1 vote
1 answer
1k views
How to run OpenSCAP with my own PowerShell-script
I want to check if is screensaver on my Windows 10 Pro active using my own PowerShell-script and OpenSCAP 1.3.2 (Windows version). I wrote such file test.xml: <?xml version="1.0" encoding="UTF-8"?&...
1 vote
0 answers
942 views
OpenSCAP warning: obtrusive data from probe
I'm using OpenSCAP 1.3.1 on Windows 10 Professional (64-bit) with the CISecurity OVAL vulnerability definitions, schema version 5.11.1. My definition files all pass validation. I receive a lot of ...
- 141
0 votes
1 answer
1k views
How to rollback after openscap remediation
What is the best practice to rollback after a openscap remediate that made the system unstable other than to restore a system backup
1 vote
0 answers
64 views
Verify on a client workstation that all GPOs are enforced using OpenSCAP
I would like to verify that all my GPOs are enforced on client workstations using OpenSCAP. A manual verification of each policy is not acceptable. I have exported my GPO's to an XML file but I can't ...
- 11
1 vote
0 answers
153 views
oscap-vm fails to produce HTML results
I am getting started with oscap-vm, basically using openscap in an offline mode to scan VM images looking for CVEs. When I use oscap-vm installed on RHEL7.6 and scan Ubuntu images, oscap-vm fails ...
4 votes
1 answer
1k views
Evaluating DISA-STIG for Windows 7 returns only "notchecked"
I've downloaded the DISA_STIG for Windows 7 from https://www.stigviewer.com/stig/windows_7/ (XML version) and tried to evaluate my desktop with OSCAP 1.3.0 for windows, with the command: oscap xccdf ...
- 41
-1 votes
1 answer
348 views
False positives when scanning CentOS7 with OpenSCAP
I just installed OpenSCAP Benchmark scanner on a CentOS7 box I had stigged by hand. There are a huge number of false positives showing up and I'm not sure if it's a bug or somehow it's not remediated ...
- 1
0 votes
1 answer
896 views
OpenSCAP for windows target
I am searching for OpenSCAP support for windows target servers. Currently OpenSCAP does not allow to run scans locally against a Windows machine. Please check this post. But it does not have enough ...
- 103
2 votes
2 answers
3k views
openscap and CentOS 7 OVAL definitions
I'm using the Redhat cve reports to run OVAL scans against CentOS 7. I'm trying to understand if the results are accurate, or if I should be doing it differently. If I run an OVAL report like this: ...
- 181
1 vote
1 answer
203 views
OpenSCAP with external resources on a device with no external networking
I am attempting to scan a virtual machine generated off of a RHEL7 kickstart with some in-house configuration. Since the machine in question is still in testing, it's not yet authorized to connect out ...
- 203