OpenSCAP release notes

Updated -

With OpenSCAP, you can perform fully automated compliance audits of Red Hat Enterprise Linux installations according to specified security standards. The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.

1.4.2

Available in RHEL versions: 10.0.Z

  • Fixed thread synchronization problems.
  • Fixed the textfilecontent54_test element for negative instance numbers.
  • Fixed signature processing in the rpminfo_test element.

1.3.12

Available in RHEL versions: 8.10.Z EUS, 9.0.Z EUS, 9.2.Z EUS, 9.4.Z EUS, 9.6.Z EUS

  • Fixed thread synchronization problems.
  • OpenSCAP now properly handles the OSCAP_PROBE_IGNORE_PATHS environment variable value, excluding all paths in the list (RHEL-67297).
  • Fixed processing of tailored DISA content (RHEL-34104).
  • Fixed the textfilecontent54_test element for negative instance numbers.
  • Fixed signature processing in the rpminfo_test element.

1.4.1

Available in RHEL versions: 10.0 (GA)

  • Introduced new tool oscap-im that can be used in Containerfiles to build hardened bootable container images for Image Mode RHEL systems.
  • The oscap info subcommand no longer prints SCAP source data stream component references.
  • Fixed error when applying tailoring on DISA SCAP content caused by incorrect xlink namespace processing.

1.3.11

Available in RHEL versions: 9.6

  • Introduced new tool oscap-im that can be used in Containerfiles to build hardened bootable container images for Image Mode RHEL systems.
  • The oscap info subcommand no longer prints SCAP source data stream component references.
  • Fixed error when applying tailoring on DISA SCAP content caused by incorrect xlink namespace processing.
  • Fixed RPM probes in bootable container images build environment ([RHEL-55251]https://issues.redhat.com/browse/RHEL-55251)).

1.4.0

Available in RHEL versions: 10.0.beta

  • Introduced the ability to generate Kickstarts for unattended RHEL installation using the oscap xccdf generate fix --fix-type kickstart command.
  • Removed the cve, cvss, and cvrf modules.
  • Removed the ds submodules: sds-compose, sds-add, sds-split, rds-create, and rds-split.
  • Removed the --template, --oval-template, and --sce-template options from the xccdf generate submodule.
  • Removed the --skip-valid option (replaced by --skip-validation).
  • Add the ability to process JSON tailoring files containing multiple profiles by the autotailor tool.
  • Removed the openscap-devel, openscap-engine-sce-devel, and openscap-python3 subpackages.

1.3.10

Available in RHEL versions: 8.6.Z EUS, 8.8.Z EUS, 8.9.Z, 9.0.Z EUS, 9.2.Z EUS, 9.3.Z

  • Added the --reference option for selecting rules based on their references (RHEL-1479).
  • The autotailor utility now allows changing the role and severity of rules in XCCDF tailoring files (RHEL-1477) and can convert JSON tailoring into XCCDF tailoring format.
  • Generated blueprint remediations have been improved and become self-contained (RHEL-1476).
  • OpenSCAP now lists all environment variables affecting its execution and their values if you run the scanner with verbosity level INFO or DEVEL.
  • Added two environment variables for working around memory issues in OpenSCAP (RHEL-4141, RHEL-11925).
    • You can configure the maximum amount of items collected by OpenSCAP probes by using the OSCAP_PROBE_MAX_COLLECTED_ITEMS environment variable.
    • You can specify directory paths that should be skipped during the scanning by setting the OSCAP_PROBE_IGNORE_PATHS environment variable.
  • Fixed file names of the CPE OVAL result files (RHEL-7050).
  • References in HTML reports and guides are now presented in a table and are grouped by reference target.

1.3.8

Available in RHEL versions: 8.6.Z EUS, 8.8.Z, 8.9, 9.0.Z EUS, 9.2.Z, 9.3

  • Fixed systemd probes to not ignore some systemd units.
  • Added offline capabilities to the shadow OVAL probe.
  • Added offline capabilities to the sysctl OVAL probe.
  • Added auristorfs to the list of network filesystems.
  • Created a workaround for issues with tailoring files produced by the autotailor utility.

1.3.7

Available in RHEL versions: 8.8 and 9.2

  • Fixed error when processing OVAL filters RHBZ#2126882.
  • OpenSCAP no longer emits invalid empty xmlfilecontent items if XPath does not match RHBZ#2139060.
  • Prevented Failed to check available memory errors RHBZ#2111040.

Comments