Opescanp compliance report not shown any specific report details

Support
,
1

Problem:
i have installed openscap with foreman on server and tried to run scan on centos 7 and centos 8 on different machine i found that compliance report dashboard show me passed , failed , other as zero always and no details is shown when i navigate to details of this report i tried to run oscap xccdf eval with same content downloaded from foreman and there is output from this command and it give me on both client and server that report uploaded scuessfully but no details shown on UI
Expected outcome:
to see number of passed failed tests
Foreman and Proxy versions:

  • ansible-collection-theforeman-foreman-2.1.2-1.el7.noarch
  • ansiblerole-foreman_scap_client-0.2.0-1.el7.noarch
  • candlepin-4.1.7-1.el7.noarch
  • candlepin-selinux-4.1.7-1.el7.noarch
  • foreman-3.0.1-1.el7.noarch
  • foreman-cli-3.0.1-1.el7.noarch
  • foreman-client-release-1.24.3-1.el7.noarch
  • foreman-debug-3.0.1-1.el7.noarch
  • foreman-dynflow-sidekiq-3.0.1-1.el7.noarch
  • foreman-installer-3.0.1-1.el7.noarch
  • foreman-installer-katello-3.0.1-1.el7.noarch
  • foreman-postgresql-3.0.1-1.el7.noarch
  • foreman-proxy-3.0.1-1.el7.noarch
  • foreman-release-3.0.1-1.el7.noarch
  • foreman-selinux-3.0.1-1.el7.noarch
  • foreman-service-3.0.1-1.el7.noarch
  • katello-4.2.1-1.el7.noarch
  • katello-certs-tools-2.8.0-1.el7.noarch
  • katello-client-bootstrap-1.7.7-1.el7.noarch
  • katello-common-4.2.1-1.el7.noarch
  • katello-debug-4.2.1-1.el7.noarch
  • katello-default-ca-1.0-1.noarch
  • katello-repos-4.2.1-1.el7.noarch
  • katello-selinux-4.0.2-1.el7.noarch
  • katello-server-ca-1.0-1.noarch
  • prd-lix-devops-foreman-01-ruh.t2.local-apache-1.0-1.noarch
  • prd-lix-devops-foreman-01-ruh.t2.local-foreman-client-1.0-1.noarch
  • prd-lix-devops-foreman-01-ruh.t2.local-foreman-proxy-1.0-1.noarch
  • prd-lix-devops-foreman-01-ruh.t2.local-foreman-proxy-client-1.0-1.noarch
  • prd-lix-devops-foreman-01-ruh.t2.local-puppet-client-1.0-1.noarch
  • pulp-client-1.0-1.noarch
  • pulpcore-selinux-1.2.6-2.el7.x86_64
  • python3-pulp-ansible-0.9.0-2.el7.noarch
  • python3-pulp-certguard-1.4.0-3.el7.noarch
  • python3-pulp-container-2.8.1-0.2.el7.noarch
  • python3-pulp-deb-2.14.1-2.el7.noarch
  • python3-pulp-file-1.8.2-2.el7.noarch
  • python3-pulp-rpm-3.14.6-2.el7.noarch
  • python3-pulpcore-3.14.8-2.el7.noarch
  • qpid-proton-c-0.35.0-1.el7.x86_64
  • rubygem-foreman_maintain-0.8.10-1.el7.noarch
  • tfm-rubygem-actioncable-6.0.3.7-1.el7.noarch
  • tfm-rubygem-actionmailbox-6.0.3.7-1.el7.noarch
  • tfm-rubygem-actionmailer-6.0.3.7-1.el7.noarch
  • tfm-rubygem-actionpack-6.0.3.7-1.el7.noarch
  • tfm-rubygem-actiontext-6.0.3.7-1.el7.noarch
  • tfm-rubygem-actionview-6.0.3.7-1.el7.noarch
  • tfm-rubygem-activejob-6.0.3.7-1.el7.noarch
  • tfm-rubygem-activemodel-6.0.3.7-1.el7.noarch
  • tfm-rubygem-activerecord-6.0.3.7-1.el7.noarch
  • tfm-rubygem-activerecord-import-1.1.0-1.el7.noarch
  • tfm-rubygem-activerecord-session_store-2.0.0-1.el7.noarch
  • tfm-rubygem-activestorage-6.0.3.7-1.el7.noarch
  • tfm-rubygem-activesupport-6.0.3.7-1.el7.noarch
  • tfm-rubygem-acts_as_list-1.0.3-2.el7.noarch
  • tfm-rubygem-addressable-2.8.0-1.el7.noarch
  • tfm-rubygem-algebrick-0.7.3-8.el7.noarch
  • tfm-rubygem-amazing_print-1.1.0-2.el7.noarch
  • tfm-rubygem-ancestry-3.0.7-2.el7.noarch
  • tfm-rubygem-anemone-0.7.2-23.el7.noarch
  • tfm-rubygem-angular-rails-templates-1.1.0-2.el7.noarch
  • tfm-rubygem-ansi-1.5.0-3.el7.noarch
  • tfm-rubygem-apipie-bindings-0.4.0-2.el7.noarch
  • tfm-rubygem-apipie-dsl-2.4.0-1.el7.noarch
  • tfm-rubygem-apipie-params-0.0.5-5.el7.noarch
  • tfm-rubygem-apipie-rails-0.5.17-4.el7.noarch
  • tfm-rubygem-audited-4.9.0-4.el7.noarch
  • tfm-rubygem-bcrypt-3.1.12-4.el7.x86_64
  • tfm-rubygem-builder-3.2.4-2.el7.noarch
  • tfm-rubygem-bundler_ext-0.4.1-6.el7.noarch
  • tfm-rubygem-clamp-1.1.2-7.el7.noarch
  • tfm-rubygem-colorize-0.8.1-2.el7.noarch
  • tfm-rubygem-concurrent-ruby-1.1.6-3.el7.noarch
  • tfm-rubygem-concurrent-ruby-edge-0.6.0-3.fm2_5.el7.noarch
  • tfm-rubygem-connection_pool-2.2.2-3.el7.noarch
  • tfm-rubygem-crass-1.0.6-2.el7.noarch
  • tfm-rubygem-css_parser-1.4.7-5.el7.noarch
  • tfm-rubygem-daemons-1.2.3-7.el7.noarch
  • tfm-rubygem-deacon-1.0.0-5.el7.noarch
  • tfm-rubygem-deep_cloneable-3.0.0-4.el7.noarch
  • tfm-rubygem-deface-1.5.3-3.el7.noarch
  • tfm-rubygem-domain_name-0.5.20160310-5.el7.noarch
  • tfm-rubygem-dynflow-1.5.0-1.fm2_6.el7.noarch
  • tfm-rubygem-erubi-1.9.0-2.el7.noarch
  • tfm-rubygem-excon-0.76.0-2.el7.noarch
  • tfm-rubygem-facter-4.0.51-2.el7.x86_64
  • tfm-rubygem-faraday-0.17.3-2.el7.noarch
  • tfm-rubygem-fast_gettext-1.4.1-5.el7.noarch
  • tfm-rubygem-ffi-1.12.2-2.el7.x86_64
  • tfm-rubygem-fog-core-2.1.0-4.el7.noarch
  • tfm-rubygem-foreman-tasks-5.1.0-1.fm3_0.el7.noarch
  • tfm-rubygem-foreman_ansible-6.4.1-1.fm2_6.el7.noarch
  • tfm-rubygem-foreman_openscap-5.0.0-1.fm3_0.el7.noarch
  • tfm-rubygem-foreman_puppet-1.0.4-1.fm3_0.el7.noarch
  • tfm-rubygem-foreman_remote_execution-4.7.0-1.fm3_0.el7.noarch
  • tfm-rubygem-formatador-0.2.1-13.el7.noarch
  • tfm-rubygem-friendly_id-5.3.0-2.el7.noarch
  • tfm-rubygem-fx-0.5.0-2.el7.noarch
  • tfm-rubygem-get_process_mem-0.2.7-2.el7.noarch
  • tfm-rubygem-gettext_i18n_rails-1.8.0-3.el7.noarch
  • tfm-rubygem-gitlab-sidekiq-fetcher-0.6.0-2.el7.noarch
  • tfm-rubygem-globalid-0.4.2-2.el7.noarch
  • tfm-rubygem-graphql-1.8.14-3.el7.noarch
  • tfm-rubygem-graphql-batch-0.3.10-3.el7.noarch
  • tfm-rubygem-gssapi-1.2.0-8.el7.noarch
  • tfm-rubygem-hammer_cli-3.0.0-1.el7.noarch
  • tfm-rubygem-hammer_cli_foreman-3.0.0-1.el7.noarch
  • tfm-rubygem-hammer_cli_foreman_puppet-0.0.3-1.fm3_0.el7.noarch
  • tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.fm3_0.el7.noarch
  • tfm-rubygem-hammer_cli_foreman_tasks-0.0.16-1.fm3_0.el7.noarch
  • tfm-rubygem-hammer_cli_katello-1.1.2-1.el7.noarch
  • tfm-rubygem-hashie-3.6.0-3.el7.noarch
  • tfm-rubygem-highline-2.0.3-2.el7.noarch
  • tfm-rubygem-hocon-1.3.1-2.el7.noarch
  • tfm-rubygem-http-cookie-1.0.2-5.el7.noarch
  • tfm-rubygem-i18n-1.8.2-2.el7.noarch
  • tfm-rubygem-ipaddress-0.8.0-13.el7.noarch
  • tfm-rubygem-jwt-2.2.2-2.el7.noarch
  • tfm-rubygem-kafo-6.4.0-1.el7.noarch
  • tfm-rubygem-kafo_parsers-1.2.1-1.el7.noarch
  • tfm-rubygem-kafo_wizards-0.0.2-2.el7.noarch
  • tfm-rubygem-katello-4.2.1-1.el7.noarch
  • tfm-rubygem-ldap_fluff-0.6.0-1.el7.noarch
  • tfm-rubygem-little-plugger-1.1.4-3.el7.noarch
  • tfm-rubygem-locale-2.0.9-15.el7.noarch
  • tfm-rubygem-logging-2.3.0-2.el7.noarch
  • tfm-rubygem-loofah-2.4.0-2.el7.noarch
  • tfm-rubygem-mail-2.7.1-2.el7.noarch
  • tfm-rubygem-marcel-1.0.1-1.el7.noarch
  • tfm-rubygem-method_source-0.9.2-3.el7.noarch
  • tfm-rubygem-mime-types-3.3.1-2.el7.noarch
  • tfm-rubygem-mime-types-data-3.2018.0812-5.el7.noarch
  • tfm-rubygem-mini_mime-1.0.2-2.el7.noarch
  • tfm-rubygem-mini_portile2-2.5.1-1.el7.noarch
  • tfm-rubygem-multi_json-1.14.1-3.el7.noarch
  • tfm-rubygem-multipart-post-2.0.0-3.el7.noarch
  • tfm-rubygem-mustermann-1.1.1-1.el7.noarch
  • tfm-rubygem-net-ldap-0.17.0-2.el7.noarch
  • tfm-rubygem-net-ping-2.0.1-5.el7.noarch
  • tfm-rubygem-net-scp-1.2.1-5.el7.noarch
  • tfm-rubygem-net-ssh-4.2.0-3.el7.noarch
  • tfm-rubygem-net_http_unix-0.2.2-2.el7.noarch
  • tfm-rubygem-netrc-0.11.0-6.el7.noarch
  • tfm-rubygem-nio4r-2.5.4-2.el7.x86_64
  • tfm-rubygem-nokogiri-1.11.3-2.el7.x86_64
  • tfm-rubygem-oauth-0.5.4-5.el7.noarch
  • tfm-rubygem-openscap-0.4.9-5.el7.noarch
  • tfm-rubygem-openscap_parser-1.0.2-2.el7.noarch
  • tfm-rubygem-parallel-1.19.1-2.el7.noarch
  • tfm-rubygem-parse-cron-0.1.4-5.fm2_5.el7.noarch
  • tfm-rubygem-pg-1.1.4-4.el7.x86_64
  • tfm-rubygem-polyglot-0.3.5-3.el7.noarch
  • tfm-rubygem-powerbar-2.0.1-3.el7.noarch
  • tfm-rubygem-promise.rb-0.7.4-3.el7.noarch
  • tfm-rubygem-public_suffix-3.0.3-3.el7.noarch
  • tfm-rubygem-pulp_ansible_client-0.8.0-1.el7.noarch
  • tfm-rubygem-pulp_certguard_client-1.4.0-1.el7.noarch
  • tfm-rubygem-pulp_container_client-2.7.0-1.el7.noarch
  • tfm-rubygem-pulp_deb_client-2.13.0-1.el7.noarch
  • tfm-rubygem-pulp_file_client-1.8.1-1.el7.noarch
  • tfm-rubygem-pulp_python_client-3.4.0-1.el7.noarch
  • tfm-rubygem-pulp_rpm_client-3.13.3-1.el7.noarch
  • tfm-rubygem-pulpcore_client-3.14.1-1.el7.noarch
  • tfm-rubygem-puma-5.3.2-1.el7.x86_64
  • tfm-rubygem-puma-status-1.3-1.el7.noarch
  • tfm-rubygem-qpid_proton-0.35.0-1.el7.x86_64
  • tfm-rubygem-rabl-0.14.3-2.el7.noarch
  • tfm-rubygem-racc-1.5.2-1.el7.x86_64
  • tfm-rubygem-rack-2.2.3-2.el7.noarch
  • tfm-rubygem-rack-cors-1.0.2-3.el7.noarch
  • tfm-rubygem-rack-jsonp-1.3.1-10.el7.noarch
  • tfm-rubygem-rack-protection-2.1.0-2.el7.noarch
  • tfm-rubygem-rack-test-1.1.0-5.el7.noarch
  • tfm-rubygem-rails-6.0.3.7-1.el7.noarch
  • tfm-rubygem-rails-dom-testing-2.0.3-7.el7.noarch
  • tfm-rubygem-rails-html-sanitizer-1.3.0-2.el7.noarch
  • tfm-rubygem-rails-i18n-6.0.0-3.el7.noarch
  • tfm-rubygem-railties-6.0.3.7-1.el7.noarch
  • tfm-rubygem-rainbow-2.2.2-1.el7.noarch
  • tfm-rubygem-rb-inotify-0.9.7-6.el7.noarch
  • tfm-rubygem-record_tag_helper-1.0.1-4.el7.noarch
  • tfm-rubygem-redfish_client-0.5.2-2.el7.noarch
  • tfm-rubygem-redis-4.1.2-3.el7.noarch
  • tfm-rubygem-responders-3.0.0-4.el7.noarch
  • tfm-rubygem-rest-client-2.0.2-4.el7.noarch
  • tfm-rubygem-rkerberos-0.1.5-20.el7.x86_64
  • tfm-rubygem-roadie-3.4.0-4.el7.noarch
  • tfm-rubygem-roadie-rails-2.1.1-3.el7.noarch
  • tfm-rubygem-robotex-1.0.0-22.el7.noarch
  • tfm-rubygem-rsec-0.4.3-5.el7.noarch
  • tfm-rubygem-ruby-libvirt-0.7.1-2.el7.x86_64
  • tfm-rubygem-ruby2_keywords-0.0.4-1.el7.noarch
  • tfm-rubygem-ruby2ruby-2.4.2-4.el7.noarch
  • tfm-rubygem-ruby_parser-3.10.1-4.el7.noarch
  • tfm-rubygem-rubyipmi-0.10.0-7.el7.noarch
  • tfm-rubygem-runcible-2.13.1-2.el7.noarch
  • tfm-rubygem-safemode-1.3.6-2.el7.noarch
  • tfm-rubygem-scoped_search-4.1.9-2.el7.noarch
  • tfm-rubygem-sd_notify-0.1.0-2.el7.noarch
  • tfm-rubygem-secure_headers-6.3.0-3.el7.noarch
  • tfm-rubygem-sequel-5.42.0-2.el7.noarch
  • tfm-rubygem-server_sent_events-0.1.2-2.el7.noarch
  • tfm-rubygem-sexp_processor-4.10.0-7.el7.noarch
  • tfm-rubygem-sidekiq-5.2.7-4.el7.noarch
  • tfm-rubygem-sinatra-2.1.0-2.el7.noarch
  • tfm-rubygem-smart_proxy_ansible-3.2.1-2.fm2_6.el7.noarch
  • tfm-rubygem-smart_proxy_dynflow-0.5.2-2.fm2_6.el7.noarch
  • tfm-rubygem-smart_proxy_dynflow_core-0.4.1-1.fm2_6.el7.noarch
  • tfm-rubygem-smart_proxy_openscap-0.9.1-1.fm2_6.el7.noarch
  • tfm-rubygem-smart_proxy_pulp-3.1.0-1.fm2_6.el7.noarch
  • tfm-rubygem-smart_proxy_remote_execution_ssh-0.4.1-2.fm2_6.el7.noarch
  • tfm-rubygem-sprockets-4.0.2-2.el7.noarch
  • tfm-rubygem-sprockets-rails-3.2.1-7.el7.noarch
  • tfm-rubygem-sqlite3-1.3.13-7.el7.x86_64
  • tfm-rubygem-sshkey-1.9.0-5.el7.noarch
  • tfm-rubygem-statsd-instrument-2.1.4-4.el7.noarch
  • tfm-rubygem-stomp-1.4.9-2.el7.noarch
  • tfm-rubygem-thor-1.0.1-3.el7.noarch
  • tfm-rubygem-thread_safe-0.3.6-6.el7.noarch
  • tfm-rubygem-tilt-2.0.8-5.el7.noarch
  • tfm-rubygem-tzinfo-1.2.6-2.el7.noarch
  • tfm-rubygem-unf-0.1.3-9.el7.noarch
  • tfm-rubygem-unf_ext-0.0.7.2-4.el7.x86_64
  • tfm-rubygem-unicode-0.4.4.4-4.el7.x86_64
  • tfm-rubygem-unicode-display_width-1.7.0-2.el7.noarch
  • tfm-rubygem-validates_lengths_from_database-0.5.0-8.el7.noarch
  • tfm-rubygem-webpack-rails-0.9.8-6.el7.noarch
  • tfm-rubygem-websocket-driver-0.7.1-2.el7.x86_64
  • tfm-rubygem-websocket-extensions-0.1.5-2.el7.noarch
  • tfm-rubygem-will_paginate-3.1.7-4.el7.noarch
  • tfm-rubygem-xmlrpc-0.3.0-3.el7.noarch
  • tfm-rubygem-zeitwerk-2.2.2-2.el7.noarch
  • tfm-runtime-7.0-4.el7.x86_64
    Foreman and Proxy plugin versions:

Distribution and version:
centos 7.9
Other relevant data:

foreman_scap_client 4
DEBUG: running: oscap xccdf eval --results-arf /tmp/d20211109-22233-1vtkvq5/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
WARNING: Datastream component ‘scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml’ points out to the remote ‘https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml’. Use ‘–fetch-r
emote-resources’ option to download it.
WARNING: Skipping ‘https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml’ file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL7.xml file which is referenced from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20211109-22233-1vtkvq5/results.xml
Uploading results to https://prd-lix-devops-foreman-01-ruh.t2.local:9090/compliance/arf/4

2

Welcome to the community!

What you are describing (zero passed, failed and other) can happen in 2 cases:

  1. The profile used for scanning has no rules

This is the case if you are using default profiles for CentOS:

default-profile
default-profile1464×540 57.6 KB

The fix is to choose a different profile. Offering an empty profile to be selected is not very user-friendly, I know we had plans to detect such cases and display a warning, but no one actually implemented that just yet.

  1. The profile used for scanning is ‘not relevant’ for the scanned system
    Examples of such cases involve using scap content for CentOS 7 on CentOS 8 or using scap content for java on system where java is not installed.
3

thanks alot for your reply but my case didn’t match either of your suggestion
as i am already running centos 7 with rhel 7 content not rhel 8 and i had changed profile now from default to PCI DSS v3.2.1 for rhel 7 and also when i try to login from machine and excute same command that satellite use i got result in xml file as below which i executed before 2 days with default profile
sorry but when try to upload this file give me error that new user will be unable to upload files

4

I think that if you scan CentOS 7 with RHEL 7 content, it is the second case that I mentioned - at least it produced a zeroed report for me. I think you might need to switch to content which is specifically for CentOS.

5

@Ondrej_Prazak thanks alot for your reply do you have link for content for centos 7 / 8 ubuntu devices

6

You can get the contents from scap-security-guide package: rpm -ql scap-security-guide | grep .*ds.xml

7

this is the same content that i have tried please check below output
[root@prd-lix-devops-foreman-01-ruh ~]# rpm -ql scap-security-guide | grep .*ds.xml
/usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
/usr/share/xml/scap/ssg/content/ssg-jre-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

8

even i have downloaded below ssg from github repo
ssg-centos7-ds.xml but it’s still give me the same behavior

9

Seems like contents for CentOS are no longer shipped in scap-security-guide, interesting. Prehaps SCAP workbench still has them?

scap-workbench
scap-workbench939×913 231 KB

ssg-centos7-ds.xml produces empty result when default content is used for me as well:

default-content
default-content1053×492 21.1 KB

Any but non-default profile needs to be used. Which github repo did you get the file from?

10

i don’t have link right now but then what to do in this case

11

Well, without the source, we can’t really test whether it is supposed to work or not. I’ve checked with OpenSCAP guys and there was no change recently. It still holds that for scanning CentOS 7 machine, one should get the centos7 DS file from the ssg rpm from CentOS 7 distribution. It seems you were trying to get the xml from RHEL ssg pacakge. If you have CentOS 7 machine, see /usr/share/xml/scap/ for the right content after you install scap-security-guide package.