How to exclude directories from an oscap scan
Environment
- Red Hat Enterprise Linux (RHEL) 7 and later
- openscap-scanner
Issue
oscaphas no option to exclude directories when performing a scanoscapincludes remote file systems (in particular GPFS file systems) even though some rules explicitly exclude these file systems
Resolution
oscap has some limitations, including the ones listed below:
-
There is no way to exclude specific directories at scan time, directories are only filtered out from the results
-
Some remote file systems such as GPFS are not considered as remote file systems (only NFS and CIFS are considered as such)
Recent oscap (openscap-scanner-1.3.12-2.el8_10 and openscap-scanner-1.3.12-1.el9_6) can ignore paths, through specifying the OSCAP_PROBE_IGNORE_PATHS=/path1:/path2:... environment variable.
If you cannot update to a recent oscap, the workaround consists in executing oscap as a one-shot service, which enables to hide directories to oscap.
NOTE: oscap exits with 2 when scan completed successfully but the assessed system is not compliant.
Solution: create a persistent service triggered manually
Steps 1 and 2 are to be done only once when creating the service unit. To rescan the system, proceed to Step 3 directly.
-
Create a dedicated one-shot openscap-scan service that hides remote file systems (example of
/etc/systemd/system/openscap-scan.serviceunit)[Unit] Description=OpenScap scanning service workarounding limitation regarding remote file systems scanning (BZ #1694962 - https://bugzilla.redhat.com/show_bug.cgi?id=1694962) [Service] Type=oneshot # OpenSCAP command used for scanning # To be adjusted depending on the requirements ExecStart=/usr/bin/oscap xccdf eval ... # List of remote file systems to hide (separated by spaces, see systemd.exec(5) manpage) # To be adjusted depending on the requirements InaccessibleDirectories=/home /my/remote/filesystem # Accept 2 as a successful termination SuccessExitStatus=2In the example below,
/homeand/my/remote/filesystemmount points have been excluded from theoscapcommand specified inExecStart. -
Reload systemd for changes to take effect
# systemctl daemon-reload -
Execute the service
# systemctl start openscap-scan.service -
Check the output if needed
# systemctl status openscap-scan.service # journalctl -u openscap-scan.service
Alternative solution for RHEL 8 and later: execute oscap as a transient service
-
Execute the oscap command as a transient service:
# systemd-run --unit=openscap-scan.service -p RemainAfterExit=true -p "InaccessiblePaths=/home /my/remote/filesystem" -- /usr/bin/oscap xccdf eval ...In the example below,
/homeand/my/remote/filesystemmount points have been excluded from theoscapcommand specified at the end of the command after the double hyphen.The service will fail with exit code 2 if the scan was a success but the assessed system is not compliant.
-
Check the output if needed
# systemctl status openscap-scan.service # journalctl -u openscap-scan.service -
If the scan failed in error, reset the state if you want to rescan the system later
# systemctl reset-failed openscap-scan.service
Root Cause
- BZ 1694962 - oscap scans non-local and excluded file systems even though the rule applies to local file systems only describes the full issue
- there is no way to exclude specific directories at scan time, directories are only filtered out from the results
- some remote file systems such as GPFS are not considered as remote file systems (only NFS and CIFS are considered as such)
Diagnostic Steps
oscapis very slow on the system- stracing the
oscapcommand shows remote paths being accessed
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments