Hi guys,
Evaluating alma 8 with Openscap CIS benchmarks show most of rules as not applicable.
With the default minimal install , Out of total 292 CIS rules, 212 show ‘not applicable’ , 68 pass and 11 failed.
For example , this should have shown as fail instead of ‘notapplicable’ right?
Title Set SSH Daemon LogLevel to VERBOSE
Rule sshd_set_loglevel_verbose
Result notapplicable
grep -i loglevel /etc/ssh/sshd_config
#LogLevel INFO
Similarly many other rules
I hope this to be addressed
what’s the command you’re running? are you definitely using the alma8 benchmark and not the rhel8 one for example?
For example this works for me, the only N/A’s are 15 things like gnome/wifi/uefi:
sudo oscap xccdf eval --profile cis --results /tmp/cis.xml --report /tmp/cis.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-almalinux8-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml
LogLevel fails for me as its set to info (default) not verbose.
Note a lot of the tests will run sshd -T | grep loglevel
not [just] grep the file:
# sshd -T |grep loglevel
loglevel INFO
# grep LogLevel /etc/ssh/sshd_config
#LogLevel INFO
1 Like
Thank you so much Simon!
I wasnt giving the --cpe. Adding that provided more realistic results.
Moving over to test the remediation now.
1 Like