Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-80062

[RFE] Support waivers in OpenSCAP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • openscap
    • No
    • None
    • rhel-sst-security-compliance
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Problem
      ==============
      1] Waivers have been requested by customers. The use-case is as follows. Customers want to be compliant to some security policy so they scan their systems using OpenSCAP. However some of their machines will be failing a few rules. Customers decide that these 2 rules are low priority or don't even make any sense for these few machines and want to mark them as such.
       
      2] If customer make custom tailored file to disable checks for this rule, The report does not include disabled checks, nor are they indicated with a "skipped" status. It would be beneficial to have disabled checks at least marked as "skipped" within the report.
      Additionally, the option to include custom waiver text for checks would be a valuable enhancement.
       
      Expected result
      ==============
      Add waiver for  rules in HTML report. 
      Rule overview in html report  shows a small label next to waived rules. 
       
       
      Bugzillas/ Jira References :
       
      Support waivers in all the OpenSCAP related projects and integrations
      https://issues.redhat.com/browse/OPENSCAP-240
       
      RHEL7: https://bugzilla.redhat.com/show_bug.cgi?id=1216939
      RHEL6: https://bugzilla.redhat.com/show_bug.cgi?id=1216937
       
      Upstream OpenSCAP supports waivers using the XCCDF:override element 
      Oscap: https://github.com/OpenSCAP/openscap/blob/main/NEWS

            [RHEL-80062] [RFE] Support waivers in OpenSCAP

            Marek Haičman added a comment -

            To expand on what Jan wrote. OpenSCAP scanning is usually just automatable part of more complex posture, so it is expected the report won't have everything there. But if you want to preserve the existence of automated rule in the report, but without execution, it is possible to adjust it via tailoring.

            Our autotailor script (shipped in openscap-utils) provides a convenient means to adjust the role of the rule so it shows in the profiles as either "notchecked" or "informational"

            "unscored" results in "informational"

            $ autotailor -p stig_2 -r package_aide_installed=unscored /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml stig

            "unchecked" results in "notchecked"

            $ autotailor -p stig_2 -r package_aide_installed=unchecked /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml stig

             

            What it does on the tailoring level is it adds role to the refine-rule entry:

            <ns0:refine-rule idref="xccdf_org.ssgproject.content_rule_package_aide_installed" role="unscored"/>

            You won't be able to get custom waiver text with this, though.

            To sum up - thank you for the request, we do internally track it even after closing this ticket, but OpenSCAP is not a suitable tool, and there is no plan to expand its functionality in this direction.

            Marek Haičman added a comment - To expand on what Jan wrote. OpenSCAP scanning is usually just automatable part of more complex posture, so it is expected the report won't have everything there. But if you want to preserve the existence of automated rule in the report, but without execution, it is possible to adjust it via tailoring. Our autotailor script (shipped in openscap-utils ) provides a convenient means to adjust the role of the rule so it shows in the profiles as either "notchecked" or "informational" "unscored" results in "informational" $ autotailor -p stig_2 -r package_aide_installed=unscored /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml stig "unchecked" results in "notchecked" $ autotailor -p stig_2 -r package_aide_installed=unchecked /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml stig   What it does on the tailoring level is it adds role to the refine-rule entry: <ns0:refine-rule idref= "xccdf_org.ssgproject.content_rule_package_aide_installed" role= "unscored" /> You won't be able to get custom waiver text with this, though. To sum up - thank you for the request, we do internally track it even after closing this ticket, but OpenSCAP is not a suitable tool, and there is no plan to expand its functionality in this direction.

            Jan Cerny added a comment -

            This request is definitely not in scope of OpenSCAP. OpenSCAP is a scanner tool, not a compliance management system.

            Jan Cerny added a comment - This request is definitely not in scope of OpenSCAP. OpenSCAP is a scanner tool, not a compliance management system.

              jcerny@redhat.com Jan Cerny
              rhn-support-vbhope Vaibhav Bhope
              Jan Cerny Jan Cerny
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: