OpenSCAP release notes

Updated

With OpenSCAP, you can perform fully automated compliance audits of Red Hat Enterprise Linux installations according to specified security standards. The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.

1.4.3

Available in RHEL versions: 10.0.Z, 10.1.Z

  • Added the new --show-rule-details option for the oscap xccdf eval command (This content is not included.RHEL-104651).
  • Updated signature validation to explicitly enable the KeyValue and RSA key data reading.
  • Fixed a memory corruption bug causing a double-free of the error pointer in blueprint fix parsing.
  • Increased array sizes to accommodate null terminators in the compat/dev_to_tty.c and xbase64.c files.
  • Inherited full environment for Bash remediations with the --remediate option.
  • Fixed inverted and incorrect fields in HTML report tables caused by the XSL template processing (This content is not included.RHEL-104073).
  • You can newly specify verbose options at any position of the command line.
  • Added support for the new STIG URL parameter in the --stig-viewer option.
  • Fixed the missing PATH in the oscap-im remediations by inheriting the parent environment.

1.3.13

Available in RHEL versions: 8.10.Z, 9.0.Z, 9.2.Z, 9.4.Z, 9.6.Z, 9.7.Z

  • Fixed the missing PATH in the oscap-im remediations by inheriting the parent environment.
  • Fixed inverted and incorrect fields in HTML report tables caused by the XSL template processing (This content is not included.RHEL-104073).
  • Added a warning that the --local-files option only works with SCAP 1.3 source data streams (This content is not included.RHEL-74343).
  • Added support for the new STIG URL parameter in the --stig-viewer option.

1.4.2

Available in RHEL versions: 10.0.Z

  • Fixed thread synchronization problems.
  • Fixed the textfilecontent54_test element for negative instance numbers.
  • Fixed signature processing in the rpminfo_test element.

1.3.12

Available in RHEL versions: 8.10.Z EUS, 9.0.Z EUS, 9.2.Z EUS, 9.4.Z EUS, 9.6.Z EUS

  • Fixed thread synchronization problems.
  • OpenSCAP now properly handles the OSCAP_PROBE_IGNORE_PATHS environment variable value, excluding all paths in the list (This content is not included.RHEL-67297).
  • Fixed processing of tailored DISA content (This content is not included.RHEL-34104).
  • Fixed the textfilecontent54_test element for negative instance numbers.
  • Fixed signature processing in the rpminfo_test element.

1.4.1

Available in RHEL versions: 10.0 (GA)

  • Introduced new tool oscap-im that can be used in Containerfiles to build hardened bootable container images for Image Mode RHEL systems.
  • The oscap info subcommand no longer prints SCAP source data stream component references.
  • Fixed error when applying tailoring on DISA SCAP content caused by incorrect xlink namespace processing.

1.3.11

Available in RHEL versions: 9.6

  • Introduced new tool oscap-im that can be used in Containerfiles to build hardened bootable container images for Image Mode RHEL systems.
  • The oscap info subcommand no longer prints SCAP source data stream component references.
  • Fixed error when applying tailoring on DISA SCAP content caused by incorrect xlink namespace processing.
  • Fixed RPM probes in bootable container images build environment ([RHEL-55251]This content is not included.https://issues.redhat.com/browse/RHEL-55251)).

1.4.0

Available in RHEL versions: 10.0.beta

  • Introduced the ability to generate Kickstarts for unattended RHEL installation using the oscap xccdf generate fix --fix-type kickstart command.
  • Removed the cve, cvss, and cvrf modules.
  • Removed the ds submodules: sds-compose, sds-add, sds-split, rds-create, and rds-split.
  • Removed the --template, --oval-template, and --sce-template options from the xccdf generate submodule.
  • Removed the --skip-valid option (replaced by --skip-validation).
  • Add the ability to process JSON tailoring files containing multiple profiles by the autotailor tool.
  • Removed the openscap-devel, openscap-engine-sce-devel, and openscap-python3 subpackages.

1.3.10

Available in RHEL versions: 8.6.Z EUS, 8.8.Z EUS, 8.9.Z, 9.0.Z EUS, 9.2.Z EUS, 9.3.Z

  • Added the --reference option for selecting rules based on their references (This content is not included.RHEL-1479).
  • The autotailor utility now allows changing the role and severity of rules in XCCDF tailoring files (This content is not included.RHEL-1477) and can convert JSON tailoring into XCCDF tailoring format.
  • Generated blueprint remediations have been improved and become self-contained (This content is not included.RHEL-1476).
  • OpenSCAP now lists all environment variables affecting its execution and their values if you run the scanner with verbosity level INFO or DEVEL.
  • Added two environment variables for working around memory issues in OpenSCAP (This content is not included.RHEL-4141, This content is not included.RHEL-11925).
    • You can configure the maximum amount of items collected by OpenSCAP probes by using the OSCAP_PROBE_MAX_COLLECTED_ITEMS environment variable.
    • You can specify directory paths that should be skipped during the scanning by setting the OSCAP_PROBE_IGNORE_PATHS environment variable.
  • Fixed file names of the CPE OVAL result files (This content is not included.RHEL-7050).
  • References in HTML reports and guides are now presented in a table and are grouped by reference target.

1.3.8

Available in RHEL versions: 8.6.Z EUS, 8.8.Z, 8.9, 9.0.Z EUS, 9.2.Z, 9.3

  • Fixed systemd probes to not ignore some systemd units.
  • Added offline capabilities to the shadow OVAL probe.
  • Added offline capabilities to the sysctl OVAL probe.
  • Added auristorfs to the list of network filesystems.
  • Created a workaround for issues with tailoring files produced by the autotailor utility.

1.3.7

Available in RHEL versions: 8.8 and 9.2

SBR
Product(s)
Category
Components
Article Type