RHEL-8.1 workaround for remediating and scanning with the scap-security-guide PCI-DSS profile

Updated -

The scap-security-guide-0.1.46-1 package contains a combination of remediation and a check that can result in one of the following scenarios:

  • incorrect remediation of Audit rules
  • scan evaluation containing false positives where passed rules are marked as failed

Consequently, during the RHEL 8.1 installation process, scanning of the installed system reports some Audit rules as either failed or errored.

To work around this problem during the RHEL 8.1 installation, extract with the tar -xf ssg-rhel8-ds-1.2.tar.gz command and use the data-stream file attached to this article. For more information, see Kickstart commands for addons supplied with the RHEL installation program - %addon org_fedora_oscap.

A system installed or remediated using the attached data stream is PCI-DSS compliant, but if you evaluate it using the data-stream file from the scap-security-guide-0.1.46-1 package, the scanner evaluates audit rules as not passing, that is such scanning contain false positives.

For this reason, Red Hat recommends using the data-stream file attached to this article also for scanning and remediations for PCI-DSS compliance after the installation is complete.

Attachments