OpenSCAP reports not applicable for RHEL 7 Docker images/containers in offline mode.

Question

OpenSCAP reports not applicable for RHEL 7 Docker images/containers in offline mode.

Closed this issue 7 years ago · 6 comments

I run OpenSCAP on RHEL7 trying to do a OVALS scan of the official RHEL7 docker image.
All the definitions are turning up as not applicable for RHEL 7 image. Whereas the same definitions work for the official RHEL 6.5 image.
Was using this set of defintions http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.
To debug the issue I cut down on all the definitions and kept only definition, in this I tried various things such as removing CPE attached to this definition, changing the CPE to RHEL 7. All of this still results in "Not Applicable"

I finally removed the open scap rpm and downloaded the sources, compiled open scap in debug mode using this http://www.open-scap.org/page/Debug and then set OSCAP_DEBUG_LEVEL=2.
And then ran open scap.
In the debug logs I see this:
(4338:7fce0ff84840) E:error.c:57:oscap_err_new Probe has been killed with signal 11
(4338:7fce0ff84840) E:error.c:57:oscap_err_new Probe has core dumped.

Open Scap Version is 1.2.6
Details of openscap --version is in this gist. https://gist.github.com/user987654/78de180917c52d3f202a

Supporting files as gists:

Debug log of successful offline run against a rhel6.5 Container. https://gist.github.com/user987654/0e3342b0983f211fa228
Debug log of offline run against a rhel7 container:
https://gist.github.com/user987654/a585aa19862dd205355c
Sample definition file
https://gist.github.com/user987654/96d929b7f3e14cdd6031

Edit #1:
I tried the same definition to be run by not using offline mode and that works. So this seems to be an issue limited to the RHEL7 Image and open scap offline mode.

Answer 1 · 2015-08-05T13:13:57.000Z

Hi,
thanks for your report.

Could you provide the OVAL results?
Could you try to evaluate just /usr/share/openscap/cpe/openscap-cpe-oval.xml and provide those OVAL results?
Do you get different results when using OpenSCAP from Simon's COPR: http://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/ ?

This particular use-case should work because it is commonly used in practice.

Perhaps @baude might provide some insight?

Answer 2 · 2015-08-05T14:21:50.000Z

Are you using the sample def in https://gist.github.com/user987654/96d929b7f3e14cdd6031 to scan RHEL 7?

Answer 3 · 2015-08-11T11:25:40.000Z

@baude Yes, that is the file I am using, it is just a trimmed down version of what can be found on the RHEL site.

Results with my sample rule - https://gist.github.com/user987654/9fcb4b8cb59688ce8507
Report with my sample rule - https://gist.github.com/user987654/f7c93078c0bf46484097

Results file when evaulating /usr/share/openscap/cpe/openscap-cpe-oval.xml - https://gist.github.com/user987654/08f9a5d358add8f726cc

Report file when evaulating /usr/share/openscap/cpe/openscap-cpe-oval.xml -
https://gist.github.com/user987654/4936f21573265e6e08a9

I had pulled the latest code form the repo and build open scap and even with that had got the errors.
Will try Simons Version to see if it behaves differently and get back to you.

Was away from office, and so couldnt get back to you folks earlier.

Answer 4 · 2015-08-11T11:38:35.000Z

Tried it with OpenSCAP from Simon's COPR, this still marks the results as not applicable.

Answer 5 · 2018-04-25T15:00:44.000Z

@user987654 Hello, do you still face this issue?

Answer 6 · 2018-05-25T19:55:37.000Z

Closed for inactivity.