0

I added openscap addon in kickstart. After the iso is installed, I run the scan on one vm with addon and one without addon. The scan results don't have much difference. For instance, passed 64 vs 61. Both vms are selinx enabled. I don't know what I missed. Any suggestions will be helpful.

                          content-type = scap-security-guide
                          profile = stig
   %end

Thanks,

user2525034
  • 1

1 Answers1

0

I would suggest to use supplied kickstart templates as reference - the upstream ones are e.g. at https://github.com/ComplianceAsCode/content/blob/master/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg. I don't see the STIG kickstart there, but it gives you some hints.

For instance, the issue may be with a incomplete specification of the profile - stig may not be enough, try xccdf_org.ssgproject.content_profile_stig.

In any case, the installed system contains scan reports in the /root/openscap_data folder, so you can check the HTML report out to find out what has happened.

bubla
  • 101
  • 3
  • Thanks very much for the suggestion. I tried "xccdf_org.ssgproject.content_profile_stig" and it fails in iso installation for addon configure. "No profile matching xccdf_org.ssgproject.content_profile_stig". – user2525034 Aug 25 '20 at 19:07
  • I have expanded my reply with the report, please share with us what content are you using for the scan. I have assumed you use the scap-security-guide/ComplianceAsCode content, but that may not be the case. – bubla Aug 26 '20 at 10:49
  • Thank you very much for the reply. I am using a customized oracle linux iso, which adds openscap, openscap-scanner, scap-security-guide rpms in iso. I assume that if the addon is added, the iso installation will automatically stig the vm. But I compared with two vms after iso installation, one vm with addon and another is not. I run the openscap and found that there is no big difference between the two vms. The command for scanning is "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml". – user2525034 Aug 26 '20 at 12:38
  • In that case, I would suggest contacting your Oracle support contact. What I would do is to check out the report after the hardened installation (that's about contents of the `openscap_data` folder). If a remediation fails, the error message is propagated to the report, which may give you an idea about what's going on. – bubla Aug 27 '20 at 14:17
  • Thank you very much for the help. There is a eval_remediate_result.xml in /root/openscap_data. I tried to run remedies manually with it. But for some reason, the fixes are not applied. I will try to see if I can get help from oracle. – user2525034 Aug 27 '20 at 16:14