System: 8.10 x86_64, uname -r “4.18.0-553.34.1.el8_10.x86_64”
Problem: OVAL report says I have vulnerabilities that need to be patched, yet dnf commands show “Nothing to do.” This happens whether I execute commands with sudo or as root.
Reproducible: Yes.
Steps to Reproduce:
- sudo dnf update
- sudo dnf install openscap-utils scap-security-guide
- curl -v https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2 -o org.almalinux.alsa-8.xml.bz2
- bzip2 -d org.almalinux.alsa-8.xml.bz2
- oscap oval eval --results /tmp/alsa-results-oval.xml report/alsa-report-oval.html org.almalinux.alsa-8.xml
What should happen: The Result column in the alsa-report-oval.html file should only have the word false, indicating everything has been patched.
What does happen: There are some entries where the Result column in the alsa-report-oval.html file has the word true, indicating unpatched vulnerabilities.
Other information: When I run sudo dnf update, sudo dnf upgrade-minimal, and sudo dnf upgrade, dnf always shows “Dependencies resolved. Nothing to do. Complete!”
Which is it? Is there truly nothing to do and my installation is up to date and secure? Do I have the vulnerabilities that the oscap oval eval command listed in its report?
Thanks for reading!