Evaluating alma 8 with Openscap CIS benchmarks show most of rules as not applicable.
With the default minimal install , Out of total 292 CIS rules, 212 show ‘not applicable’ , 68 pass and 11 failed.
For example , this should have shown as fail instead of ‘notapplicable’ right?
Title Set SSH Daemon LogLevel to VERBOSE
grep -i loglevel /etc/ssh/sshd_config
Similarly many other rules
I hope this to be addressed
what’s the command you’re running? are you definitely using the alma8 benchmark and not the rhel8 one for example?
For example this works for me, the only N/A’s are 15 things like gnome/wifi/uefi:
sudo oscap xccdf eval --profile cis --results /tmp/cis.xml --report /tmp/cis.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-almalinux8-cpe-dictionary.xml \
LogLevel fails for me as its set to info (default) not verbose.
Note a lot of the tests will run
sshd -T | grep loglevel not [just] grep the file:
# sshd -T |grep loglevel
# grep LogLevel /etc/ssh/sshd_config
Thank you so much Simon!
I wasnt giving the --cpe. Adding that provided more realistic results.
Moving over to test the remediation now.