Hi, I personally don't know WR Linux. Rules you have mentioned shouldn't be available for offline scan (oscap-docker, oscap-chroot, ...) of any container (but should work when you run oscap from inside of container).
Currently we don't have access to container /proc during offline scan so all checks what needs it should be not available. Shadowing of passwords probably isn't available due to, "non-compatibility" of password probe & offline scan - there are complications with nss switch - some of accounts could be from LDAP, etc. Zbynek ----- Original Message ----- > From: [email protected] > To: [email protected] > Sent: Monday, July 11, 2016 8:15:19 PM > Subject: investigating "notapplicable" > > Hi folks > > I'm trying to figure out how to go about investigating why "notapplicable" > is returned. Mostly, I'm working with a new directory for WR Linux. > > However, I also see that for Fedora, there are four rules that are > commented out with a comment: > > The following rules currently returns 'notapplicable' on Fedora container > Investigate why, fix the issues, and re-enable back once fixed > > The specific rules that are commented out are: > > accounts_password_all_shadowed > root_path_no_dot > mount_option_dev_shm_nodev > mount_option_dev_shm_nosuid > > When I tried to reproduce this, I find that accounts_password_all_shadowed > passes on a vanilla Fedora 23 installation. Maybe it's different on a > container-based install than on an install on a plain old laptop. > > root_path_no_dot appears to be malformed, with various pieces missing. > > The other two don't show up in my output results at all. Not sure why. > They do appear to be present in the DS file, and I haven't yet found any > reason to consider them malformed. > > But my general question is about the procedure to go about this > investigation. Is there a document that gives hints about the > best way to do this ? I've looked for one, but haven't found it. > What I've done so far is largely manual, and it has been somewhat > awkward getting the results. (Mostly, I've tried to investigate > WR Linux, but the Fedora issues seemed like a good thing to use > for more experience.) > > Any help would be appreciated. > > Enjoy! > > -- radzy > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > https://github.com/OpenSCAP/scap-security-guide/ > -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
