openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

oscap-podman creates invalid ARFs

Open jan-cerny opened this issue 1 year ago • 3 comments

Description of Problem:

I have a problem that oscap-podman creates invalid ARFs.

This is a problem because openscap-report can't process invalid ARFs.

OpenSCAP Version:

openscap-1.4.0-1.fc40.x86_64 scap-security-guide-0.1.74-1.fc40.noarch

Operating System & Version:

F 40

Steps to Reproduce:

  1. sudo oscap-podman centos:stream9 xccdf eval --profile stig --results-arf /tmp/arf.xml /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml

Actual Results:

The <ai:hostname> element in the produced ARF file is empty.

Expected Results:

The <ai:hostname> element in the produced ARF file isn't empty.

Additional Information / Debugging Steps:

No

jan-cerny avatar Oct 16 '24 08:10 jan-cerny

Isn't the case that "oscap" command is generating an invalid ARF instead, because oscap-podman is just a wrapper. So we should rather look into oscap behavior when scanning a container.

Maybe OpenSCAP doesn't know what to put into that field when there is not a valid hostname (probably because it's a container), and puts nothing instead.

ggbecker avatar Oct 17 '24 09:10 ggbecker

Maybe the gethostname function is returning an empty string, which then is considered valid by the code (is not NULL):

https://github.com/OpenSCAP/openscap/blob/97d8831fbf65528c3cde98f1c788ca8f7e252e63/src/XCCDF/result.c#L315

ggbecker avatar Oct 17 '24 10:10 ggbecker

What is in urn:xccdf:fact:asset:identifier:host_name system fact?

evgenyz avatar Jan 07 '25 20:01 evgenyz