OpenSCAP release notes

Updated -

Table of Contents

With OpenSCAP, you can perform fully automated compliance audits of Red Hat Enterprise Linux installations according to specified security standards. The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.

1.4.0

Available in RHEL versions: 10.0.beta

  • Introduced the ability to generate Kickstarts for unattended RHEL installation using the oscap xccdf generate fix --fix-type kickstart command.
  • Removed the cve, cvss, and cvrf modules.
  • Removed the ds submodules: sds-compose, sds-add, sds-split, rds-create, and rds-split.
  • Removed the --template, --oval-template, and --sce-template options from the xccdf generate submodule.
  • Removed the --skip-valid option (replaced by --skip-validation).
  • Add the ability to process JSON tailoring files containing multiple profiles by the autotailor tool.
  • Removed the openscap-devel, openscap-engine-sce-devel, and openscap-python3 subpackages.

1.3.10

Available in RHEL versions: 8.6.Z EUS, 8.8.Z EUS, 8.9.Z, 9.0.Z EUS, 9.2.Z EUS, 9.3.Z

  • Added the --reference option for selecting rules based on their references (RHEL-1479).
  • The autotailor utility now allows changing the role and severity of rules in XCCDF tailoring files (RHEL-1477) and can convert JSON tailoring into XCCDF tailoring format.
  • Generated blueprint remediations have been improved and become self-contained (RHEL-1476).
  • OpenSCAP now lists all environment variables affecting its execution and their values if you run the scanner with verbosity level INFO or DEVEL.
  • Added two environment variables for working around memory issues in OpenSCAP (RHEL-4141, RHEL-11925).
    • You can configure the maximum amount of items collected by OpenSCAP probes by using the OSCAP_PROBE_MAX_COLLECTED_ITEMS environment variable.
    • You can specify directory paths that should be skipped during the scanning by setting the OSCAP_PROBE_IGNORE_PATHS environment variable.
  • Fixed file names of the CPE OVAL result files (RHEL-7050).
  • References in HTML reports and guides are now presented in a table and are grouped by reference target.

1.3.8

Available in RHEL versions: 8.6.Z EUS, 8.8.Z, 8.9, 9.0.Z EUS, 9.2.Z, 9.3

  • Fixed systemd probes to not ignore some systemd units.
  • Added offline capabilities to the shadow OVAL probe.
  • Added offline capabilities to the sysctl OVAL probe.
  • Added auristorfs to the list of network filesystems.
  • Created a workaround for issues with tailoring files produced by the autotailor utility.

1.3.7

Available in RHEL versions: 8.8 and 9.2

  • Fixed error when processing OVAL filters RHBZ#2126882.
  • OpenSCAP no longer emits invalid empty xmlfilecontent items if XPath does not match RHBZ#2139060.
  • Prevented Failed to check available memory errors RHBZ#2111040.

Comments