Description of problem:
SCAP Security Guide has a bunch of security compliance profiles for RHEL7 - PCI-DSS, STIG, OSPP are the most important ones. These profiles were created with bare-metal and virtual machines in mind. They contain rules such as:
- Ensure /home Located On Separate Partition
- Ensure /tmp Located On Separate Partition
- Kernel Runtime Parameter "kernel.exec-shield" Check
- Kernel Runtime Parameter IPv6 Check
These rules make perfect sense on bare-metal machines or VMs but they make no sense in docker images. These should return "notapplicable" instead of "fail" when scanning container images using oscap-docker.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. yum install openscap-utils atomic scap-security-guide
2. oscap-docker image $IMAGE_ID xccdf eval --profile $PROFILE /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Failures for rules that don't make sense in container images
Pass and fail for "universal" rules. "notapplicable" for rules that only make sense outside containers.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.