Bug 1420038 – Openscap doesn't recognize RHV-H as RHEL

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1420038 - Openscap doesn't recognize RHV-H as RHEL

Summary:	Openscap doesn't recognize RHV-H as RHEL

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openscap (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	Unspecified Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Jan Černý
QA Contact:	Raphael Sanchez Prudencio
Docs Contact:	Jiri Herrmann

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-02-07 11:18 EST by Donny Davis
Modified:	2017-08-01 04:45 EDT (History)
CC List:	20 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	OpenSCAP and SSG are now able to scan RHV-H systems correctly Previously, using the OpenSCAP and SCAP Security Guide (SSG) tools to scan a Red Hat Enterprise Linux system working as a Red Hat Virtualization Host (RHV-H) returned `Not Applicable` results. With this update, OpenSCAP and SSG correctly identify RHV-H as Red Hat Enterprise Linux, which enables OpenSCAP and SSG to scan RHV-H systems properly.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 04:45:48 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
SCAP Scan of RHV-H hypervisor (2.62 MB, text/html) 2017-02-07 11:18 EST, Donny Davis	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2291	normal	SHIPPED_LIVE	openscap bug fix update	2017-08-01 08:38:59 EDT

Groups: None (edit)

Description Donny Davis 2017-02-07 11:18:15 EST

Created attachment 1248453 [details]
SCAP Scan of RHV-H hypervisor

Description of problem:

When performing an Openscap scan of a RHV-H hypervisor, the report comes back as notapplicable. This is due to RHV-H not being recognized as RHEL, which it is. 



Version-Release number of selected component (if applicable):
7.x

How reproducible:
100%

Steps to Reproduce:
1. Install RHV-H
2. Conduct scap scan of system using the STIG for Red Hat Enterprise Linux 7 Server profile
3. View HTML report

Actual results:
No rules are matched due to scap not recognizing RHV-H as RHEL

Expected results:
RHV-H is RHEL, so profiles should apply

Additional info:

Comment 1 Marek Haicman 2017-02-07 11:34:13 EST

Hello Donny,
OpenSCAP and SCAP Security Guide currently checks presence of package redhat-release-{server,workstation,client,computenode} and version of the package. What is the release package on RHV-H?

Comment 2 Donny Davis 2017-02-07 12:10:35 EST

cat /etc/redhat-release 
Red Hat Enterprise Linux release 7.3

Comment 3 Donny Davis 2017-02-07 12:13:34 EST

You were asking for the version of the package installed. 

yum list installed |grep redhat-release-*
redhat-release-virtualization-host.x86_64  4.0-6.1.el7                 installed
redhat-release-virtualization-host-content.x86_64

Comment 4 Ryan Barry 2017-02-07 12:17:35 EST

Correct. We obsolete redhat-release-{server,workstation,client,computenode}.

Checking the content of /etc/redhat-release (or os-release) is the best method on RHV-H.

Comment 5 Shawn Wells 2017-02-07 13:13:11 EST

Related code:

https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml#L706#L708

<rpmverifyfile_state id="oval:org.open-scap.cpe.rhel:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
  <name operation="pattern match">^redhat-release</name>
</rpmverifyfile_state>

The code only evaluates redhat-release* and expects the version to start with 5, 6, or 7. Given that RHV-H uses redhat-release-virtualization-* we need to update this check.

Looks like the BZ is already assigned to the OpenSCAP team to do this.

Comment 6 Jan Černý 2017-02-08 08:55:50 EST

Applicability of RHEL7 SCAP content is determined based on (1) presence of a RPM package that provides "/etc/redhat-release" and (2) version of that RPM package starting with 7.

For redhat-release-server the version is 7.y-z.el7, but in your case it's 4.0-6.1.el7.

How does RHV version map to RHEL version? Can we make an assumption that if "redhat-release-virtualization-host" rpm of certain version is installed on the system then the system is RHEL7?

Comment 8 Jan Černý 2017-03-14 08:56:12 EDT

The fix has been accepted upstream https://github.com/OpenSCAP/openscap/commit/9570830ee33b66258eebd1e2722b14ebdfd6ef46

A related fix in SCAP Security Guide has been also merged upstream https://github.com/OpenSCAP/scap-security-guide/commit/701674b45b9a19468c585c1a4f4aa72a22280ef0

Comment 11 Raphael Sanchez Prudencio 2017-05-18 11:23:19 EDT

Verified.

NEW:
:: [   LOG    ] :: Test default openscap CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result:
:: [   PASS   ] :: virtualization-host is supported
:: [   LOG    ] :: Test SSG bundled CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: true
:: [   PASS   ] :: virtualization-host is supported

OLD:
:: [   LOG    ] :: Test default openscap CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result:
:: [   FAIL   ] :: virtualization-host is not covered by CPE definition
:: [   LOG    ] :: Test SSG bundled CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: false
:: [   FAIL   ] :: virtualization-host is not covered by CPE definition

Comment 13 errata-xmlrpc 2017-08-01 04:45:48 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2291

Note You need to log in before you can comment on or make changes to this bug.

bmcclain
cshao
dguo
dondavis
huzhao
jherrman
jiawu
mhaicman
mpreisle
openscap-maint
qiyuan
rbarry
rsprudencio
sbonazzo
swells
weiwang
yaniwang
ycui
ykaul
yzhao