Hi - I’m running the OpenSCAP STIG profile on a new CentOS 7.1611 installation, and I get a few failures that look like this (output from openscap scan —verbosity INFO). I suspect this is because the openscap module is not accepting CentOS 7 as RHEL 7 for rules purposes, despite an early check for "Community Enterprise Operating System 7” which succeeds.
1. Am I correct in why it’s failing? 2. Is this a bug, or an accepted behavior given that CentOS isn’t actually RHEL?
I: oscap: Evaluating XCCDF rule 'accounts_password_pam_retry'. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:7': Red Hat Enterprise Linux 7. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:7' evaluated as false. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:1007': Community Enterprise Operating System 7. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:1007' evaluated as true. I: oscap: Adding external variable oval:ssg-var_password_pam_retry:var:1. I: oscap: Evaluating definition 'oval:ssg-accounts_password_pam_retry:def:1': Set Password retry Requirements. I: oscap: Criteria are extended by definition 'oval:ssg-installed_OS_is_rhel6:def:1'. I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel6:def:1': Red Hat Enterprise Linux 6. I: oscap: Definition 'oval:ssg-installed_OS_is_rhel6:def:1' evaluated as false. I: oscap: Evaluating textfilecontent54 test 'oval:ssg-test_password_pam_cracklib_retry:tst:1': check the configuration of /etc/pam.d/system-auth. I: oscap: Querying textfilecontent54 object 'oval:ssg-obj_password_pam_cracklib_retry:obj:1', flags: 0. I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-obj_password_pam_cracklib_retry:obj:1'. I: probe_textfilecontent54: Opening file '/etc/pam.d/system-auth'. I: oscap: State 'oval:ssg-state_password_pam_retry:ste:1' references external_variable 'oval:ssg-var_password_pam_retry:var:1'. I: oscap: Test 'oval:ssg-test_password_pam_cracklib_retry:tst:1' requires that at least one object defined by 'oval:ssg-obj_password_pam_cracklib_retry:obj:1' exists on the system. I: oscap: 0 objects defined by 'oval:ssg-obj_password_pam_cracklib_retry:obj:1' exist on the system. I: oscap: No item matching object 'oval:ssg-obj_password_pam_cracklib_retry:obj:1' was found on the system. (flag=does not exist) I: oscap: Test 'oval:ssg-test_password_pam_cracklib_retry:tst:1' evaluated as false. I: oscap: Criteria are extended by definition 'oval:ssg-installed_OS_is_rhel7:def:1'. I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel7:def:1': Red Hat Enterprise Linux 7. I: oscap: Definition 'oval:ssg-installed_OS_is_rhel7:def:1' evaluated as false. I: oscap: Evaluating textfilecontent54 test 'oval:ssg-test_password_pam_pwquality_retry:tst:1': check the configuration of /etc/pam.d/system-auth. I: oscap: Querying textfilecontent54 object 'oval:ssg-obj_password_pam_pwquality_retry:obj:1', flags: 0. I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-obj_password_pam_pwquality_retry:obj:1'. I: probe_textfilecontent54: Opening file '/etc/pam.d/system-auth'. I: oscap: State 'oval:ssg-state_password_pam_retry:ste:1' references external_variable 'oval:ssg-var_password_pam_retry:var:1'. I: oscap: Test 'oval:ssg-test_password_pam_pwquality_retry:tst:1' requires that at least one object defined by 'oval:ssg-obj_password_pam_pwquality_retry:obj:1' exists on the system. I: oscap: 1 objects defined by 'oval:ssg-obj_password_pam_pwquality_retry:obj:1' exist on the system. I: oscap: All items matching object 'oval:ssg-obj_password_pam_pwquality_retry:obj:1' were collected. (flag=complete) I: oscap: In test 'oval:ssg-test_password_pam_pwquality_retry:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_password_pam_retry:ste:1'. I: oscap: Entity 'subexpression'='3' of item '106534257' matches corresponding entity in state 'oval:ssg-state_password_pam_retry:ste:1'. I: oscap: Item '106534257' compared to state 'oval:ssg-state_password_pam_retry:ste:1' with result true. I: oscap: Test 'oval:ssg-test_password_pam_pwquality_retry:tst:1' evaluated as true. I: oscap: Criteria are extended by definition 'oval:ssg-installed_OS_is_fedora:def:1'. I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_fedora:def:1': Installed operating system is Fedora. I: oscap: Definition 'oval:ssg-installed_OS_is_fedora:def:1' evaluated as false. I: oscap: Evaluating textfilecontent54 test 'oval:ssg-test_password_pam_pwquality_retry:tst:1': check the configuration of /etc/pam.d/system-auth. I: oscap: Test 'oval:ssg-test_password_pam_pwquality_retry:tst:1' evaluated as true. I: oscap: Definition 'oval:ssg-accounts_password_pam_retry:def:1' evaluated as false.