Bug 2027259

Summary: oscap skips the local offline XML
Product: Red Hat Enterprise Linux 8 Reporter: Ales Musil <amusil>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.6CC: ekolesni, jafiala, jcerny, mhaicman, mperina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-29 10:24:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2015802    

Description Ales Musil 2021-11-29 09:00:27 UTC 
Description of problem:
There is a KCS for running oscap in "offline" mode [0]. But doing those steps 
from KCS still result in skipping the XML file.

[0] https://access.redhat.com/solutions/5185891

Version-Release number of selected component (if applicable):
openscap-1.3.5-10.el8.x86_64
openscap-scanner-1.3.5-10.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. curl -L -o security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
2. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2>&1 | grep "Skipping"

Actual results:
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content

Expected results:
Should use the file that is available locally.
Comment 1 Jan Černý 2021-11-29 10:24:06 UTC 
Hi, starting from the version openscap-1.3.5-8.el8 you should use the --local-files option to point to the local file. See the section 12 "Using external or remote resources" of the OpenSCAP User manual. 

For example:
mkdir scap-files
wget -O scap-files/security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
oscap xccdf eval --local-files ~/scap-files --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

*** This bug has been marked as a duplicate of bug 1970529 ***
Comment 2 Ales Musil 2021-11-29 10:26:30 UTC 
Hi, 
can the KCS be updated to reflect that? 

Thank you.
Comment 3 Jan Černý 2021-11-29 10:36:25 UTC 
Great idea! I will try to get that article updated. I will keep you posted.
Comment 4 Jan Černý 2021-12-02 15:26:31 UTC 
The KCS https://access.redhat.com/solutions/5185891 now reflects the rhel-8.6 change and the https://bugzilla.redhat.com/show_bug.cgi?id=1970529 contains a documentation text.