Description of problem:
When running oscap to generate results compatible with STIG Viewer, The SSG v0.1.78 seems to create an XCCDF (.xml) file with all the results as "Not Reviewed". The issue does not occur with SSG v0.1.77. Is it possible there were changes in rule IDs, profile structure, and manual check conversions in 0.1.78 prevent proper mapping of evaluated rules to the expected STIG checklist IDs, breaking STIG Viewer compatibility? This is also not working when scanning a docker container image.
The CLI output shows proper evaluation messages and rule statuses., but the XCCDF .xml might be corrupted?
SCAP Security Guide Version:
0.1.78
Operating System Version:
RHEL9
Steps to Reproduce:
-
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_stig-viewer_0.1.78.xml /usr/share/xml/scap/scap-security-guide-0.1.78/ssg-rhel9-ds.xml
-
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_stig-viewer_0.1.77.xml /usr/share/xml/scap/scap-security-guide-0.1.77/ssg-rhel9-ds.xml
-
oscap-docker image [DOCKER IMAGE ID] xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_image_stig-viewer_0.1.78.xml /usr/share/xml/scap/scap-security-guide-0.1.78/ssg-rhel9-ds.xml
-
oscap-docker image [DOCKER IMAGE ID] xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_image_stig-viewer_0.1.77.xml /usr/share/xml/scap/scap-security-guide-0.1.77/ssg-rhel9-ds.xml
-
Using DISA STIG Viewer 3 or STIG Viewer 2, create a new Checklist from DISA's RHEL9 STIG
-
Import the XCCDF results file (.xml) to the Checklist
Actual Results:
Importing results from oscap scans using SSG v0.1.77 work as expected
Importing results from oscap scans using SSG v0.1.78 shows all the rules are "Not Reviewed", with no Finding Details. As if it's not actually importing.
Expected Results:
When importing OpenSCAP --stig-viewer results generated from SSG RHEL9 STIG profile into STIG Viewer, the viewer should display a complete set of evaluated rules corresponding to the selected STIG profile. Each rule should correctly indicate its compliance status (Compliant, Non-Compliant, or Not Reviewed) based on the evaluation. Rules that are applicable to the system should not be incorrectly marked as “Not Applicable,” and there should be no extraneous or missing results. The output should match the rule IDs and structure expected by the DISA STIG checklist
Additional Information/Debugging Steps:
OpenSCAP v1.4.2
TEST_RHEL9_image_stig_results_0.1.78.xml
TEST_RHEL9_image_stig_results_0.1.77.xml
TEST_RHEL9_image_stig_results_0.1.76.xml
Description of problem:
When running oscap to generate results compatible with STIG Viewer, The SSG v0.1.78 seems to create an XCCDF (.xml) file with all the results as "Not Reviewed". The issue does not occur with SSG v0.1.77. Is it possible there were changes in rule IDs, profile structure, and manual check conversions in 0.1.78 prevent proper mapping of evaluated rules to the expected STIG checklist IDs, breaking STIG Viewer compatibility? This is also not working when scanning a docker container image.
The CLI output shows proper evaluation messages and rule statuses., but the XCCDF .xml might be corrupted?
SCAP Security Guide Version:
0.1.78
Operating System Version:
RHEL9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_stig-viewer_0.1.78.xml /usr/share/xml/scap/scap-security-guide-0.1.78/ssg-rhel9-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_stig-viewer_0.1.77.xml /usr/share/xml/scap/scap-security-guide-0.1.77/ssg-rhel9-ds.xml
oscap-docker image [DOCKER IMAGE ID] xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_image_stig-viewer_0.1.78.xml /usr/share/xml/scap/scap-security-guide-0.1.78/ssg-rhel9-ds.xml
oscap-docker image [DOCKER IMAGE ID] xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer OSCAP_RHEL9_image_stig-viewer_0.1.77.xml /usr/share/xml/scap/scap-security-guide-0.1.77/ssg-rhel9-ds.xml
Using DISA STIG Viewer 3 or STIG Viewer 2, create a new Checklist from DISA's RHEL9 STIG
Import the XCCDF results file (.xml) to the Checklist
Actual Results:
Importing results from oscap scans using SSG v0.1.77 work as expected
Importing results from oscap scans using SSG v0.1.78 shows all the rules are "Not Reviewed", with no Finding Details. As if it's not actually importing.
Expected Results:
When importing OpenSCAP --stig-viewer results generated from SSG RHEL9 STIG profile into STIG Viewer, the viewer should display a complete set of evaluated rules corresponding to the selected STIG profile. Each rule should correctly indicate its compliance status (Compliant, Non-Compliant, or Not Reviewed) based on the evaluation. Rules that are applicable to the system should not be incorrectly marked as “Not Applicable,” and there should be no extraneous or missing results. The output should match the rule IDs and structure expected by the DISA STIG checklist
Additional Information/Debugging Steps:
OpenSCAP v1.4.2
TEST_RHEL9_image_stig_results_0.1.78.xml
TEST_RHEL9_image_stig_results_0.1.77.xml
TEST_RHEL9_image_stig_results_0.1.76.xml