CentOS 7.3.1611 Scap-security-guide Issue

Home » CentOS » CentOS 7.3.1611 Scap-security-guide Issue
CentOS 2 Comments

Hello,

I have noticed that pci-dss profile, ssg-CentOS7-xccdf.xml will always fail on test and remediation for disable_prelink rule. That seem to be caused by insufficient CentOS RPM customization of upstream code. Specifically this:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml#L24-L35

That condition will always fail on CentOS because it misses:

I was thinking about raising a bug on https://bugs.CentOS.org or committing a fix in https://git.CentOS.org/summary/rpms!scap-security-guide but I am unsure as to what action should I take.

The other issue I’m facing is trying to workaround the disable_prelink rule by simply taking it out of tests. I have create a tailor file but it doesn’t seem to be taken into consideration. The file:



1

PCI-DSS v3 Control Baseline for CentOS
Linux 7 [CUSTOMIZED]

This is a *draft* profile for PCI-DSS
v3



Then the oscap command I tried:
oscap xccdf eval –remediate –tailoring-file tailor.xml –profile pci-dss
–fetch-remote-resources
/usr/share/xml/scap/ssg/content/ssg-CentOS7-xccdf.xml

It is my debut on the list, thank you for your consideration :-)

2 thoughts on - CentOS 7.3.1611 Scap-security-guide Issue