Bug 1420038 - Openscap doesn't recognize RHV-H as RHEL
Summary: Openscap doesn't recognize RHV-H as RHEL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openscap
Version: 7.3
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Raphael Sanchez Prudencio
Jiri Herrmann
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 16:18 UTC by Donny Davis
Modified: 2020-08-13 08:51 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
OpenSCAP and SSG are now able to scan RHV-H systems correctly Previously, using the OpenSCAP and SCAP Security Guide (SSG) tools to scan a Red Hat Enterprise Linux system working as a Red Hat Virtualization Host (RHV-H) returned `Not Applicable` results. With this update, OpenSCAP and SSG correctly identify RHV-H as Red Hat Enterprise Linux, which enables OpenSCAP and SSG to scan RHV-H systems properly.
Clone Of:
Environment:
Last Closed: 2017-08-01 08:45:48 UTC
Target Upstream Version:


Attachments (Terms of Use)
SCAP Scan of RHV-H hypervisor (2.62 MB, text/html)
2017-02-07 16:18 UTC, Donny Davis
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2291 normal SHIPPED_LIVE openscap bug fix update 2017-08-01 12:38:59 UTC

Description Donny Davis 2017-02-07 16:18:15 UTC
Created attachment 1248453 [details]
SCAP Scan of RHV-H hypervisor

Description of problem:

When performing an Openscap scan of a RHV-H hypervisor, the report comes back as notapplicable. This is due to RHV-H not being recognized as RHEL, which it is. 



Version-Release number of selected component (if applicable):
7.x

How reproducible:
100%

Steps to Reproduce:
1. Install RHV-H
2. Conduct scap scan of system using the STIG for Red Hat Enterprise Linux 7 Server profile
3. View HTML report

Actual results:
No rules are matched due to scap not recognizing RHV-H as RHEL

Expected results:
RHV-H is RHEL, so profiles should apply

Additional info:

Comment 1 Marek Haicman 2017-02-07 16:34:13 UTC
Hello Donny,
OpenSCAP and SCAP Security Guide currently checks presence of package redhat-release-{server,workstation,client,computenode} and version of the package. What is the release package on RHV-H?

Comment 2 Donny Davis 2017-02-07 17:10:35 UTC
cat /etc/redhat-release 
Red Hat Enterprise Linux release 7.3

Comment 3 Donny Davis 2017-02-07 17:13:34 UTC
You were asking for the version of the package installed. 

yum list installed |grep redhat-release-*
redhat-release-virtualization-host.x86_64  4.0-6.1.el7                 installed
redhat-release-virtualization-host-content.x86_64

Comment 4 Ryan Barry 2017-02-07 17:17:35 UTC
Correct. We obsolete redhat-release-{server,workstation,client,computenode}.

Checking the content of /etc/redhat-release (or os-release) is the best method on RHV-H.

Comment 5 Shawn Wells 2017-02-07 18:13:11 UTC
Related code:

https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml#L706#L708

<rpmverifyfile_state id="oval:org.open-scap.cpe.rhel:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
  <name operation="pattern match">^redhat-release</name>
</rpmverifyfile_state>

The code only evaluates redhat-release* and expects the version to start with 5, 6, or 7. Given that RHV-H uses redhat-release-virtualization-* we need to update this check.

Looks like the BZ is already assigned to the OpenSCAP team to do this.

Comment 6 Jan Černý 2017-02-08 13:55:50 UTC
Applicability of RHEL7 SCAP content is determined based on (1) presence of a RPM package that provides "/etc/redhat-release" and (2) version of that RPM package starting with 7.

For redhat-release-server the version is 7.y-z.el7, but in your case it's 4.0-6.1.el7.

How does RHV version map to RHEL version? Can we make an assumption that if "redhat-release-virtualization-host" rpm of certain version is installed on the system then the system is RHEL7?

Comment 8 Jan Černý 2017-03-14 12:56:12 UTC
The fix has been accepted upstream https://github.com/OpenSCAP/openscap/commit/9570830ee33b66258eebd1e2722b14ebdfd6ef46

A related fix in SCAP Security Guide has been also merged upstream https://github.com/OpenSCAP/scap-security-guide/commit/701674b45b9a19468c585c1a4f4aa72a22280ef0

Comment 11 Raphael Sanchez Prudencio 2017-05-18 15:23:19 UTC
Verified.

NEW:
:: [   LOG    ] :: Test default openscap CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result:
:: [   PASS   ] :: virtualization-host is supported
:: [   LOG    ] :: Test SSG bundled CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: true
:: [   PASS   ] :: virtualization-host is supported

OLD:
:: [   LOG    ] :: Test default openscap CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/openscap/cpe/openscap-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result:
:: [   FAIL   ] :: virtualization-host is not covered by CPE definition
:: [   LOG    ] :: Test SSG bundled CPE
:: [   PASS   ] :: Command 'rpm -i rpms/RHEL7/redhat-release-virtualization-host-*.x86_64.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Command 'oscap oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml > output' (Expected 0, got 0)
:: [   INFO   ] :: Current redhat-release is redhat-release-virtualization-host-4.1-1.1.el7.x86_64
:: [   INFO   ] :: Result: Definition oval:ssg-installed_OS_is_rhel7:def:1: false
:: [   FAIL   ] :: virtualization-host is not covered by CPE definition

Comment 13 errata-xmlrpc 2017-08-01 08:45:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2291


Note You need to log in before you can comment on or make changes to this bug.