Hide Forgot
Created attachment 1248453 [details] SCAP Scan of RHV-H hypervisor Description of problem: When performing an Openscap scan of a RHV-H hypervisor, the report comes back as notapplicable. This is due to RHV-H not being recognized as RHEL, which it is. Version-Release number of selected component (if applicable): 7.x How reproducible: 100% Steps to Reproduce: 1. Install RHV-H 2. Conduct scap scan of system using the STIG for Red Hat Enterprise Linux 7 Server profile 3. View HTML report Actual results: No rules are matched due to scap not recognizing RHV-H as RHEL Expected results: RHV-H is RHEL, so profiles should apply Additional info:
Hello Donny, OpenSCAP and SCAP Security Guide currently checks presence of package redhat-release-{server,workstation,client,computenode} and version of the package. What is the release package on RHV-H?
cat /etc/redhat-release Red Hat Enterprise Linux release 7.3
You were asking for the version of the package installed. yum list installed |grep redhat-release-* redhat-release-virtualization-host.x86_64 4.0-6.1.el7 installed redhat-release-virtualization-host-content.x86_64
Correct. We obsolete redhat-release-{server,workstation,client,computenode}. Checking the content of /etc/redhat-release (or os-release) is the best method on RHV-H.
Related code: https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml#L706#L708 <rpmverifyfile_state id="oval:org.open-scap.cpe.rhel:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> <name operation="pattern match">^redhat-release</name> </rpmverifyfile_state> The code only evaluates redhat-release* and expects the version to start with 5, 6, or 7. Given that RHV-H uses redhat-release-virtualization-* we need to update this check. Looks like the BZ is already assigned to the OpenSCAP team to do this.
Applicability of RHEL7 SCAP content is determined based on (1) presence of a RPM package that provides "/etc/redhat-release" and (2) version of that RPM package starting with 7. For redhat-release-server the version is 7.y-z.el7, but in your case it's 4.0-6.1.el7. How does RHV version map to RHEL version? Can we make an assumption that if "redhat-release-virtualization-host" rpm of certain version is installed on the system then the system is RHEL7?
The fix has been accepted upstream https://github.com/OpenSCAP/openscap/commit/9570830ee33b66258eebd1e2722b14ebdfd6ef46 A related fix in SCAP Security Guide has been also merged upstream https://github.com/OpenSCAP/scap-security-guide/commit/701674b45b9a19468c585c1a4f4aa72a22280ef0
Verified. NEW: :: [ LOG ] :: Test default openscap CPE :: [ PASS ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0) :: [ PASS ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0) :: [ INFO ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64 :: [ INFO ] :: Result: :: [ PASS ] :: virtualization-host is supported :: [ LOG ] :: Test SSG bundled CPE :: [ PASS ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0) :: [ PASS ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0) :: [ INFO ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64 :: [ INFO ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: true :: [ PASS ] :: virtualization-host is supported OLD: :: [ LOG ] :: Test default openscap CPE :: [ PASS ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0) :: [ PASS ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0) :: [ INFO ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64 :: [ INFO ] :: Result: :: [ FAIL ] :: virtualization-host is not covered by CPE definition :: [ LOG ] :: Test SSG bundled CPE :: [ PASS ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0) :: [ PASS ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0) :: [ INFO ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64 :: [ INFO ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: false :: [ FAIL ] :: virtualization-host is not covered by CPE definition
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2291