Hi Shawn, It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it can't pick the RHEL 8 datastream that you added to the container. However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it means customers won't be able to scan RHEL 8 - based containers on RHEL 7 hosts anyway.
Regards On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells <[email protected]> wrote: > > On 6/2/19 2:24 PM, Shawn Wells wrote: > > Attempting to use the RHEL 8 data streams, but even 'oscap info' fails > > using the latest release [0]: > > > >> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml > >> Document type: Source Data Stream > >> Imported: 2019-06-02T11:16:07 > >> > >> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > >> Generated: (null) > >> Version: 1.3 > >> Checklists: > >> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > >> WARNING: Datastream component > >> > 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' > >> points out to the remote > >> ' > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. > >> Use '--fetch-remote-resources' option to download it. > >> WARNING: Skipping > >> ' > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' > >> file which is referenced from datastream > >> OpenSCAP Error: Could not extract > >> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies > >> from datastream. [ds_sds_session.c:211] > > > > > > Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to > > SCAP 1.2 instead of 1.3? > > > > > > [0] > > > https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-security-guide-0.1.44-redhat-SCAP-1.3.zip > > > > > p.s. this also happens with upstream: > > $ ./build_product rhel8 > $ oscap info build/ssg-rhel8-ds-1.3.xml > Document type: Source Data Stream > Imported: 2019-06-02T14:27:51 > > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > Generated: (null) > Version: 1.3 > Checklists: > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > WARNING: Datastream component > 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' > points out to the remote > 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. > Use '--fetch-remote-resources' option to download it. > WARNING: Skipping > 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' > file which is referenced from datastream > OpenSCAP Error: Could not extract > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies > from datastream. [ds_sds_session.c:211] > > > The rhel8 1.2 datastream appears fine when using "oscap info," but using > it also results in an error: > > > $ oscap info build/ssg-rhel8-ds.xml > > Document type: Source Data Stream > > Imported: 2019-06-02T14:27:50 > > > > Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml > > Generated: (null) > > Version: 1.2 > > Checklists: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml > > Status: draft > > Generated: 2019-06-02 > > Resolved: true > > Profiles: > > Title: Criminal Justice Information Services (CJIS) > > Security Policy > > Id: xccdf_org.ssgproject.content_profile_cjis > > Title: Unclassified Information in Non-federal Information > > Systems and Organizations (NIST 800-171) > > Id: xccdf_org.ssgproject.content_profile_cui > > Title: Health Insurance Portability and Accountability Act > > (HIPAA) > > Id: xccdf_org.ssgproject.content_profile_hipaa > > Title: Protection Profile for General Purpose Operating > > Systems > > Id: xccdf_org.ssgproject.content_profile_ospp > > Title: PCI-DSS v3.2.1 Control Baseline for Red Hat > > Enterprise Linux 8 > > Id: xccdf_org.ssgproject.content_profile_pci-dss > > Title: Red Hat Corporate Profile for Certified Cloud > > Providers (RH CCP) > > Id: xccdf_org.ssgproject.content_profile_rht-ccp > > Title: Standard System Security Profile for Red Hat > > Enterprise Linux 8 > > Id: xccdf_org.ssgproject.content_profile_standard > > Referenced check files: > > ssg-rhel8-oval.xml > > system: > http://oval.mitre.org/XMLSchema/oval-definitions-5 > > ssg-rhel8-ocil.xml > > system: http://scap.nist.gov/schema/ocil/2 > > https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml > > system: > http://oval.mitre.org/XMLSchema/oval-definitions-5 > > Checks: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml > > Dictionaries: > > Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml > > > > $ sudo atomic scan --scan_type configuration_compliance --scanner_args > > > xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report > > > registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp > > docker run -t --rm -v /etc/localtime:/etc/localtime -v > > /run/atomic/2019-06-02-07-30-02-549130:/scanin -v > > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z > > -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan > > --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan > > --fix_type bash -j1 --xccdf-id > > scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile > > xccdf_org.ssgproject.content_profile_ospp --report > > > > registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277) > > > > registry.redhat.io/ubi8/ubi-minimal is not supported for this scan. > > > > Files associated with this scan are in > > /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130. > > > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Jan Černý Security Technologies | Red Hat, Inc.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
