content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Alinux 3 OpenSCAP scanning not working

Open blackbrownco opened this issue 1 year ago • 10 comments

Description of problem:

All of the scan result using ssg-alinux3-xccdf.xml with profile xccdf_org.ssgproject.content_profile_cis resulting not applicable for all items.

image

SCAP Security Guide Version:

0.1.74

Operating System Version:

VERSION="3 (OpenAnolis Edition)" ID="alinux" ID_LIKE="rhel fedora centos anolis" VERSION_ID="3" VARIANT="OpenAnolis Edition" VARIANT_ID="openanolis" ALINUX_MINOR_ID="2104" ALINUX_UPDATE_ID="10" PLATFORM_ID="platform:al8" PRETTY_NAME="Alibaba Cloud Linux 3.2104 U10 (OpenAnolis Edition)" ANSI_COLOR="0;31" HOME_URL="https://www.aliyun.com/"

Steps to Reproduce:

  1. install necessary package openscap-scanner and scap-security-guide but the ssg for alinux was not found
  2. download the ssg from https://github.com/ComplianceAsCode/content but the ssg-alinux3-xccdf.xml also was not found
  3. import the ssg-alinux3-xccdf.xml from ubuntu system that installed ssg-applications ssg-base ssg-nondebian
  4. run the oscap xccdf eval with profile xccdf_org.ssgproject.content_profile_cis and point to ssg-alinux3-xccdf.xml stored
  5. all of the items were not scanned

Actual Results:

image

Additional Information

When scan using ssg-alinux-ds.xml the scanner is working and I managed to get the report

blackbrownco avatar Sep 19 '24 10:09 blackbrownco

install this https://mega.co.nz/#!B31G2LaZ!uBBOCp9hLC7bq9kP8NC6s4DanQJJZuoFRr5FI_jkeic I put the necessary dlls in the archive

miguellords avatar Sep 19 '24 10:09 miguellords

Hi @blackbrownco,

Regarding your steps to reproduce:

  1. On step 2, you need to build the product to get the ssg-alinux3-xccdf.xml that you are looking for. It is not stored in the repo, but a result of the product build. Therefore running something like: ./build_product -j4 alinux3 will generate a ./build/ssg-alinux3-xccdf.xml
  2. On step number 4 it was not clear, did you run the eval in a alinux machine or on ubuntu? Because the not-applicable results from the image suggested that you ran against ubuntu and not against alinux. If you did run against alinux, then I would recommend running the same command but with the following parameters: --verbose INFO --verbose-log-file alinux3.log --oval-results That should make it easier to figure out what's happening.

dodys avatar Sep 19 '24 13:09 dodys

Hi @dodys thanks for your reply

  1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml

blackbrownco avatar Sep 23 '24 07:09 blackbrownco

Hi @dodys thanks for your reply

1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml

in the root of the project itself

dodys avatar Sep 23 '24 07:09 dodys

Hi @dodys , I have already built it with the binary found on this root of this project, this is the info image

the profile xccdf_org.ssgproject.content_profile_cis_l1 and xccdf_org.ssgproject.content_profile_cis weren't found

I also try to scan using the standard profile, but the results are not applicable image

##hostnamectl image

blackbrownco avatar Sep 24 '24 10:09 blackbrownco

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

dodys avatar Sep 24 '24 12:09 dodys

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

dodys avatar Sep 24 '24 12:09 dodys

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

blackbrownco avatar Sep 25 '24 02:09 blackbrownco

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well image

blackbrownco avatar Sep 25 '24 02:09 blackbrownco

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

It was removed in the beginning of the year when alinux3 became EOL https://github.com/ComplianceAsCode/content/pull/11486

dodys avatar Sep 25 '24 08:09 dodys

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well image

please add all the parameters I've mentioned

dodys avatar Sep 25 '24 08:09 dodys