Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alinux 3 OpenSCAP scanning not working #12401

Open
blackbrownco opened this issue Sep 19, 2024 · 10 comments
Open

Alinux 3 OpenSCAP scanning not working #12401

blackbrownco opened this issue Sep 19, 2024 · 10 comments
Labels
Alibaba Linux Alibaba Linux product related.

Comments

@blackbrownco
Copy link

blackbrownco commented Sep 19, 2024
edited
Loading

Description of problem:

All of the scan result using ssg-alinux3-xccdf.xml with profile xccdf_org.ssgproject.content_profile_cis resulting not applicable for all items.

image

SCAP Security Guide Version:

0.1.74

Operating System Version:

VERSION="3 (OpenAnolis Edition)" ID="alinux" ID_LIKE="rhel fedora centos anolis" VERSION_ID="3" VARIANT="OpenAnolis Edition" VARIANT_ID="openanolis" ALINUX_MINOR_ID="2104" ALINUX_UPDATE_ID="10" PLATFORM_ID="platform:al8" PRETTY_NAME="Alibaba Cloud Linux 3.2104 U10 (OpenAnolis Edition)" ANSI_COLOR="0;31" HOME_URL="https://www.aliyun.com/"

Steps to Reproduce:

  1. install necessary package openscap-scanner and scap-security-guide but the ssg for alinux was not found
  2. download the ssg from https://github.com/ComplianceAsCode/content but the ssg-alinux3-xccdf.xml also was not found
  3. import the ssg-alinux3-xccdf.xml from ubuntu system that installed ssg-applications ssg-base ssg-nondebian
  4. run the oscap xccdf eval with profile xccdf_org.ssgproject.content_profile_cis and point to ssg-alinux3-xccdf.xml stored
  5. all of the items were not scanned

Actual Results:

image

Additional Information

When scan using ssg-alinux-ds.xml the scanner is working and I managed to get the report
@dodys dodys added Amazon Linux Amazon Linux product related. Alibaba Linux Alibaba Linux product related. and removed Amazon Linux Amazon Linux product related. labels Sep 19, 2024
@dodys
Copy link
Contributor

dodys commented Sep 19, 2024

Hi @blackbrownco,

Regarding your steps to reproduce:

  1. On step 2, you need to build the product to get the ssg-alinux3-xccdf.xml that you are looking for. It is not stored in the repo, but a result of the product build. Therefore running something like: ./build_product -j4 alinux3 will generate a ./build/ssg-alinux3-xccdf.xml
  2. On step number 4 it was not clear, did you run the eval in a alinux machine or on ubuntu? Because the not-applicable results from the image suggested that you ran against ubuntu and not against alinux. If you did run against alinux, then I would recommend running the same command but with the following parameters: --verbose INFO --verbose-log-file alinux3.log --oval-results That should make it easier to figure out what's happening.

@blackbrownco
Copy link
Author

Hi @dodys thanks for your reply

  1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml

@dodys
Copy link
Contributor

dodys commented Sep 23, 2024

Hi @dodys thanks for your reply

1. Where can I get the build_product binary to create the ssg-alinux3-xccdf.xml

in the root of the project itself

@blackbrownco
Copy link
Author

blackbrownco commented Sep 24, 2024
edited
Loading

Hi @dodys , I have already built it with the binary found on this root of this project, this is the info
image

the profile xccdf_org.ssgproject.content_profile_cis_l1 and xccdf_org.ssgproject.content_profile_cis weren't found

I also try to scan using the standard profile, but the results are not applicable
image

##hostnamectl
image

@dodys
Copy link
Contributor

dodys commented Sep 24, 2024

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

@dodys
Copy link
Contributor

dodys commented Sep 24, 2024

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

@blackbrownco
Copy link
Author

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

@blackbrownco
Copy link
Author

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well
image

@dodys
Copy link
Contributor

dodys commented Sep 25, 2024

sorry, I should have confirmed it earlier, but since I'm not involved with that distro I didn't. But yeah, there isn't an implementation of CIS for al3 currently. Someone would need to contribute it.

i thought it was already implemented since there is a guide here https://static.open-scap.org/ssg-guides/ssg-alinux3-guide-cis.html

It was removed in the beginning of the year when alinux3 became EOL
#11486

@dodys
Copy link
Contributor

dodys commented Sep 25, 2024

regarding the not-applicable with the standard profile, have you run with the parameters I mentioned before and took a look at them?

if you see here at my earlier reply, I've put verbose command as well image

please add all the parameters I've mentioned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Alibaba Linux Alibaba Linux product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dodys @blackbrownco and others