CentOS 7.3.1611 Scap-security-guide Issue
Hello,
I have noticed that pci-dss profile, ssg-CentOS7-xccdf.xml will always fail on test and remediation for disable_prelink rule. That seem to be caused by insufficient CentOS RPM customization of upstream code. Specifically this:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml#L24-L35
That condition will always fail on CentOS because it misses:
I was thinking about raising a bug on https://bugs.CentOS.org or committing a fix in https://git.CentOS.org/summary/rpms!scap-security-guide but I am unsure as to what action should I take.
The other issue I’m facing is trying to workaround the disable_prelink rule by simply taking it out of tests. I have create a tailor file but it doesn’t seem to be taken into consideration. The file:
Linux 7 [CUSTOMIZED]
v3
Then the oscap command I tried:
oscap xccdf eval –remediate –tailoring-file tailor.xml –profile pci-dss
–fetch-remote-resources
/usr/share/xml/scap/ssg/content/ssg-CentOS7-xccdf.xml
It is my debut on the list, thank you for your consideration :-)
2 thoughts on - CentOS 7.3.1611 Scap-security-guide Issue
You can clone that git project from git.CentOS.org, then checkout the
‘c7’ branch and fix the issue on your branch .. then use the git
–format-patch option as explained here:
https://ariejan.net/2009/10/26/how-to-create-and-apply-a-patch-with-git/
Then you can send your patch (attached to an email) to the CentOS-Devel mailing list (https://lists.CentOS.org/mailman/listinfo/CentOS-devel)
and I will import it into the git repo and fix the package.
Thanks, Johnny Hughes
Please have a look at the patch.
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS