openscap
openscap copied to clipboard
OpenSCAP
Difference in XCCDF and OVAL eval results for same packages
Description of Problem:
When I run XCCDF evaluation it finds many issues for xccdf_org.ssgproject.content_rule_security_patches_up_to_date rule referring to OVAL definitions. Even for packages that are not installed.
However when I run OVAL evaluation all these checks return True.
OpenSCAP Version:
oscap --v OpenSCAP command line tool (oscap) 1.3.4 Copyright 2009--2020 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ==== XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1
==== Capabilities added by auto-loaded plugins ==== SCE Version: 1.0 (from libopenscap_sce.so.25)
==== Paths ==== Schema files: /usr/share/openscap/schemas Default CPE files: /usr/share/openscap/cpe
Operating System & Version:
cat /etc/redhat-release CentOS Linux release 8.2.2004 (Core)
Steps to Reproduce:
- Run oscap xccdf eval
`oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date --profile standard --report sce1-eval.html
--oval-results --cpe /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml --fetch-remote-resources
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml
`Title Ensure Software Patches Installed Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date OVAL Definition ID oval:com.redhat.rhsa:def:20205100 OVAL Definition Title RHSA-2020:5100: firefox security update (Critical) Result fail ...
Please note that firefox is not installed
- Run oscap oval eval `oscap oval eval --id oval:com.redhat.rhsa:def:20205100 --report freetype.html Red_Hat_Enterprise_Linux_8.xml
Definition oval:com.redhat.rhsa:def:20205100: true
Actual Results:
- Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date OVAL Definition ID oval:com.redhat.rhsa:def:20205100 OVAL Definition Title RHSA-2020:5100: firefox security update (Critical) Result fail
Expected Results:
- Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date OVAL Definition ID oval:com.redhat.rhsa:def:20205100 OVAL Definition Title RHSA-2020:5100: firefox security update (Critical) Result pass
Probably because you are using Red Hat vulnerability feeds for RHEL on a CentOS machine. So this is working as expected.
May be I do not understand something, but: 1 - firefox package is not installed in my system 2 - oval evaluation of oval:com.redhat.rhsa:def:20205100 returns True 3 - I've inspected the criteria of oval:com.redhat.rhsa:def:20205100 and logically it should return True despite it is evaluated in Centos. 4 - In Centos7 all was good. This issue appeared after upgrade to Centos8.
What is expected by XCCDF evaluation when OVAL test returns True? I've searched in docs, and in all XML files to find out how XCCDF decides Fail or Pass. No success. So I assumed this logic is in OSCAP code. That is why I am writing here.
Please advise where to look?
First of all, without an XCCDF xml report it is hard to say what went wrong, we don't have your machine to run a test.
Then, from OVAL and SCAP point of view RHEL8 ≠ CentOS8 no matter what position you might have on the topic. It is as correct as checking against Ubuntu 19.04 content on CentOS: something might be working but errors are to be expected.
So, the advise is to attach full XCCDF report (we will search for signs of a bug in the scanner), but expect this bug to be closed as working as expected and prepare to use proper CentOS8 DataStream.
Hi Evgeny, thank you for looking into this.
Here is zip with all files generated by command: oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date --profile standard --report sce1-eval.html --oval-results --cpe /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml
also it includes: /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml case_1639.zip