7.145. openscap

Updated openscap packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OpenSCAP is an open source project, which enables integration of the Security Content Automation Protocol (SCAP) line of standards. SCAP is a line of standards managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

Upgrade to an upstream version

The openscap packages have been upgraded to upstream version 1.0.10, which provides a number of bug fixes and enhancements over the previous version. Updated version is fully API/ABI compatible with 1.0.x version which has been certified by the National Institute of Standards and Technology (NIST). (BZ#1152599)

Bug Fixes

Previously, the has_extended_acl feature was missing in the scripts that build OpenSCAP, which caused the OpenSCAP auditing tool to be unable to assess extended file system properties. This update fixes the build process of OpenSCAP to include has_extended_acl, and OpenSCAP is now again able to assess extended file system properties as intended.
When the Extensible Configuration Checklist Description Format (XCCDF) input content included an instruction to use a certain XCCDF variable with an undefined variable value, the OpenSCAP scanner could crash. With this update, the NULL pointer causing this bug is handled correctly when binding the XCCDF value to the OVAL variable, and the security scan now proceeds smoothly.
The OVAL standard requires that the var_check content XML attribute be included within any XML elements that have the var_ref attribute, which the OpenSCAP scanner did not always observe. As a consequence, the schematron validation of OVAL results returned a warning message to the user. The OVAL module has been fixed to export var_check explicitly whenever exporting var_ref, and the schematron validation now passes as expected.


To keep the installed package set to the minimum, the number of package dependencies of the OpenSCAP auditing tool has been reduced. With this update, the oscap tool is shipped within the newly created openscap-scanner package and the openscap-utils package remains to include miscellaneous tools. Users are advised to remove openscap-utils, if they no longer need other utilities except for the scanner.
Users of openscap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.