How to exclude directories from an oscap scan
Environment
- Red Hat Enterprise Linux (RHEL) 7 and later
- openscap-scanner
Issue
oscap
has no option to exclude directories when performing a scanoscap
includes remote file systems (in particular GPFS file systems) even though some rules explicitly exclude these file systems
Resolution
oscap
has some limitations, including the ones listed below:
- There is no way to exclude specific directories at scan time, directories are only filtered out from the results
- Some remote file systems such as GPFS are not considered as remote file systems (only NFS and CIFS are considered as such
The workaround consists in executing oscap
as a one-shot service, which enables to hide directories to oscap
.
NOTE: oscap
exits with 2 when scan completed successfully but the assessed system is not compliant.
Solution: create a persistent service triggered manually
Steps 1 and 2 are to be done only once when creating the service unit. To rescan the system, proceed to Step 3 directly.
-
Create a dedicated one-shot openscap-scan service that hides remote file systems (example of
/etc/systemd/system/openscap-scan.service
unit)[Unit] Description=OpenScap scanning service workarounding limitation regarding remote file systems scanning (BZ #1694962 - https://bugzilla.redhat.com/show_bug.cgi?id=1694962) [Service] Type=oneshot # OpenSCAP command used for scanning # To be adjusted depending on the requirements ExecStart=/usr/bin/oscap xccdf eval ... # List of remote file systems to hide (separated by spaces, see systemd.exec(5) manpage) # To be adjusted depending on the requirements InaccessibleDirectories=/home /my/remote/filesystem # Accept 2 as a successful termination SuccessExitStatus=2
In the example below,
/home
and/my/remote/filesystem
mount points have been excluded from theoscap
command specified inExecStart
. -
Reload systemd for changes to take effect
# systemctl daemon-reload
-
Execute the service
# systemctl start openscap-scan.service
-
Check the output if needed
# systemctl status openscap-scan.service # journalctl -u openscap-scan.service
Alternative solution for RHEL 8 and later: execute oscap as a transient service
-
Execute the oscap command as a transient service:
# systemd-run --unit=openscap-scan.service -p RemainAfterExit=true -p "InaccessiblePaths=/home /my/remote/filesystem" -- /usr/bin/oscap xccdf eval ...
In the example below,
/home
and/my/remote/filesystem
mount points have been excluded from theoscap
command specified at the end of the command after the double hyphen.The service will fail with exit code 2 if the scan was a success but the assessed system is not compliant.
-
Check the output if needed
# systemctl status openscap-scan.service # journalctl -u openscap-scan.service
-
If the scan failed in error, reset the state if you want to rescan the system later
# systemctl reset-failed openscap-scan.service
Root Cause
- BZ 1694962 - oscap scans non-local and excluded file systems even though the rule applies to local file systems only describes the full issue
- there is no way to exclude specific directories at scan time, directories are only filtered out from the results
- some remote file systems such as GPFS are not considered as remote file systems (only NFS and CIFS are considered as such)
Diagnostic Steps
oscap
is very slow on the system- stracing the
oscap
command shows remote paths being accessed
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments