Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 58. Security
OpenSCAP rpmverifypackage does not work correctly
The
chdir and chroot system calls are called twice by the rpmverifypackage probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.
To work around this problem, do not use the
rpmverifypackage_test OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used. (BZ#1603347)
dconf databases are not checked by OVAL
OVAL (Open Vulnerability and Assessment Language) checks used in the
SCAP Security Guide project are not able to read a dconf binary database, only files used to generate the database. The database is not regenerated automatically, the administrator needs to enter the dconf update command. As a consequence, changes to the database that are not made using files in the /etc/dconf/db/ directory cannot be detected by scanning. This may cause false negatives results.
To work around this problem, run
dconf update periodically, for example, using the /etc/crontab configuration file. (BZ#1631378)
SCAP Workbench fails to generate results-based remediations from tailored profiles
The following error occurs when trying to generate results-based remediation roles from a customized profile using the the
SCAP Workbench tool:
Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]
Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]
OpenSCAP scanner results contain a lot of SELinux context error messages
The
OpenSCAP scanner logs inability to get SELinux context on the ERROR level even in situations where it is not a true error. As a result, OpenSCAP scanner results contain a lot of SELinux context error messages. Both the oscap command-line utility and the SCAP Workbench graphical utility outputs can be hard to read for that reason. (BZ#1640522)
oscap scans use an excessive amount of memory
Result data of Open Vulnerability Assessment Language (OVAL) probes are kept in memory for the whole duration of a scan and the generation of reports is also a memory-intensive process. Consequently, when very large file systems are scanned, the
oscap process can take all available memory and be killed by the operating system.
To work around this problem, use tailoring to exclude rules that scan complete file systems and run them separately. Furthermore, do not use the
--oval-results option. As a result, if you lower the amount of processed data, scanning of the system should no longer crash because of the excessive use of memory. (BZ#1548949)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}