How to exclude directories from an oscap scan

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7 and later
    • openscap-scanner

Issue

  • oscap has no option to exclude directories when performing a scan
  • oscap includes remote file systems (in particular GPFS file systems) even though some rules explicitly exclude these file systems

Resolution

oscap has some limitations, including the ones listed below:

  • There is no way to exclude specific directories at scan time, directories are only filtered out from the results
  • Some remote file systems such as GPFS are not considered as remote file systems (only NFS and CIFS are considered as such

The workaround consists in executing oscap as a one-shot service, which enables to hide directories to oscap.

NOTE: oscap exits with 2 when scan completed successfully but the assessed system is not compliant.

Solution: create a persistent service triggered manually

Steps 1 and 2 are to be done only once when creating the service unit. To rescan the system, proceed to Step 3 directly.

  1. Create a dedicated one-shot openscap-scan service that hides remote file systems (example of /etc/systemd/system/openscap-scan.service unit)

    [Unit]
Description=OpenScap scanning service workarounding limitation regarding remote file systems scanning (BZ #1694962 - https://bugzilla.redhat.com/show_bug.cgi?id=1694962)

[Service]
Type=oneshot

# OpenSCAP command used for scanning
# To be adjusted depending on the requirements
ExecStart=/usr/bin/oscap xccdf eval ...

# List of remote file systems to hide (separated by spaces, see systemd.exec(5) manpage)
# To be adjusted depending on the requirements
InaccessibleDirectories=/home /my/remote/filesystem

# Accept 2 as a successful termination
SuccessExitStatus=2

    In the example below, /home and /my/remote/filesystem mount points have been excluded from the oscap command specified in ExecStart.

  2. Reload systemd for changes to take effect

    # systemctl daemon-reload

  3. Execute the service

    # systemctl start openscap-scan.service

  4. Check the output if needed

    # systemctl status openscap-scan.service
# journalctl -u openscap-scan.service

Alternative solution for RHEL 8 and later: execute oscap as a transient service

  1. Execute the oscap command as a transient service:

    # systemd-run --unit=openscap-scan.service -p RemainAfterExit=true -p "InaccessiblePaths=/home /my/remote/filesystem" -- /usr/bin/oscap xccdf eval ...

    In the example below, /home and /my/remote/filesystem mount points have been excluded from the oscap command specified at the end of the command after the double hyphen.

    The service will fail with exit code 2 if the scan was a success but the assessed system is not compliant.

  2. Check the output if needed

    # systemctl status openscap-scan.service
# journalctl -u openscap-scan.service

  3. If the scan failed in error, reset the state if you want to rescan the system later

    # systemctl reset-failed openscap-scan.service

Root Cause

Diagnostic Steps

  • oscap is very slow on the system
  • stracing the oscap command shows remote paths being accessed

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

6 Comments

Log in to comment
Renaud Metrich's picture Red Hat Pro 535 points
3 June 2019 3:43 PM

For the experts, there is yet another way: use unshare as shown below:

# unshare -m bash

This opens a new shell. Then unmount unwanted file systems from there (these unmounts won't be propagated to the host):

# umount /home
# umount /my/remote/filesystem

Finally execute oscap from this shell

# oscap xccdf eval ...
Christopher Crisafulli's picture Active Contributor 292 points
18 March 2021 3:58 AM

Thanks this is pretty amazing, and might help some colleagues that have been seriously struggling with this very issue! I may even use it too, but have not had the same experience with openscap and our autofs mounts possible because of our autofs configuration options.

MH Community Member 49 points
3 June 2019 4:12 PM

Using this solutions, how would I subsequently run the openscap process at a specific point in time? Previously, I'd execute my openscap process (with all associated options) via a shell script.

Renaud Metrich's picture Red Hat Pro 535 points
4 June 2019 6:04 AM

I don't understand your question. You may use the expert solution using unshare (previous comment) wrapping your script or put your script directly in the service unit (for RHEL7) and associate a timer with the service unit or trigger manually using systemctl start openscap-scan.

Michael Luevane's picture Newbie 5 points
13 June 2023 9:01 PM

In the Step 1 items above it has the following line:

"In the example below, /home and /my/remote/filesystem mount points have been excluded from the oscap command specified in ExecStart."

I'm reading this to mean that if I have /home mounted on its own partition and run the scan as it is above, that the scan will skip the home directory. I'm not that well-versed in the intricacies of systemd, so I'm looking for confirmation so that I can stop scanning 100GB+ of home directories!

Renaud Metrich's picture Red Hat Pro 535 points
14 June 2023 6:28 AM

The scan will exclude /home /my/remote/filesystem, whatever they are: dedicated mount points or just directories