Running OpenSCAP scan report shows not applicable in OpenShift 4

Solution In Progress - Updated -

Issue

  • When running an oscap-chroot from a chroot on a node all of the reports will come back notapplicable
oscap-chroot /host/ xccdf eval --verbose DEVEL --verbose-log-file verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --report report.html --val-results /usr/share/xml/scap/ssg/content/ssg-ocp4-ds.xml
  • All of the tests come back as not applicable. 
Rule    xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
Result  notapplicable

Title   Ensure Usage of Unique Service Accounts 
Rule    xccdf_org.ssgproject.content_rule_accounts_unique_service_account
Result  notapplicable

Title   Ensure Network Policies are Configured
Rule    xccdf_org.ssgproject.content_rule_configure_network_policies
Result  notapplicable

Title   Ensure Project Namespaces Use Network Policies
Rule    xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
Result  notapplicable

Title   Disable Scheduler Profiling
Rule    xccdf_org.ssgproject.content_rule_scheduler_profiling_argument
Result  notapplicable

Title   Do Not Use Environment Variables with Secrets
Rule    xccdf_org.ssgproject.content_rule_secrets_no_environment_variables
Result  notapplicable

Title   Verify Permissions on the Worker Kubeconfig File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
Result  notapplicable

Title   Verify Group Who Owns The OpenShift Node Service File
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
Result  notapplicable

Environment

  • OpenShift Container Platform (OCP) 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content