UNCLASSIFIED - NO CUI

Skip to content

OpenSCAP fails for Ubuntu 18.04 containers

Background

The IronBank pipeline uses Compliance as Code version 0.1.66: https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/blob/c82614a8a14e6d35d5233d0e2c5b5cbfec759a88/stages/scanning/rhel-oscap-version.json#L2

Compliance as Code is downloaded here: https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/blob/c82614a8a14e6d35d5233d0e2c5b5cbfec759a88/stages/scanning/openscap/oscap-compliance-run.sh#L31 Direct link to the zip downloaded: https://github.com/ComplianceAsCode/content/releases/download/v0.1.66/scap-security-guide-0.1.66.zip

When a ubuntu1804-container project is scanned, at https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/blob/c82614a8a14e6d35d5233d0e2c5b5cbfec759a88/stages/scanning/openscap/compliance.py#L98, the pipeline looks for ssg-ubuntu1804-ds.xml, which it finds as expected. The pipeline will then use a profile named xccdf_org.ssgproject.content_profile_stig. However, the file does not contain a profile by that name:

$ oscap info ssg-ubuntu1804-ds.xml 
Document type: Source Data Stream
Imported: 2023-02-03T04:33:37

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ubuntu1804-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1804-xccdf.xml
		Status: draft
		Generated: 2023-02-03
		Resolved: true
		Profiles:
			Title: Profile for ANSSI DAT-NT28 Average (Intermediate) Level
				Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
			Title: Profile for ANSSI DAT-NT28 High (Enforced) Level
				Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
			Title: Profile for ANSSI DAT-NT28 Minimal Level
				Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
			Title: Profile for ANSSI DAT-NT28 Restrictive Level
				Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
			Title: CIS Ubuntu 18.04 LTS Benchmark
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: Standard System Security Profile for Ubuntu 18.04
				Id: xccdf_org.ssgproject.content_profile_standard
		Referenced check files:
			ssg-ubuntu1804-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-ubuntu1804-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1804-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1804-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1804-cpe-oval.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1804-cpe-dictionary.xml

Therefore, the pipeline does not handle Ubuntu 18.04 containers as expected.

I have reported this missing STIG to that project at https://github.com/ComplianceAsCode/content/issues/10208

Acceptance Criteria

  • The pipeline behaves as expected performing an openscap of Ubuntu 18.04 containers

Definition of Done

  • Write or update any unit or integration tests
  • Project pipeline runs successfully
  • Add any applicable checkboxes for testing e.g. Ran pipeline in staging env or pipeline-test-project pipeline run
  • Solution is captured as code and/or documentation and merge requests have been submitted
  • Code review completed and merge request approved/merged
  • All Acceptance Criteria have been completed
Edited by Craig Andrews

UNCLASSIFIED - NO CUI