I've previously argued, "they're very, very similar, but they're not truly identical". In particular, Red Hat handles CVEs and errata somewhat differently than CentOS does (Red Hat backports many fixes to prior EL releases, CentOS's stance is generally "upgrade it").
Today, I got bit by one place where CentOS hews far too closely to "the same as Red Hat Enterprise Linux". Specifically, I was using the `oscap` security tool to do a security audit of a test system. I should say, "I was struggling to use the `oscap` security tool...". With later versions of EL6, Red Hat, and as a derivative, CentOS, implement the CPE system for Linux.
This is all fine and good, except where the tools you use rely on the correctness of CPE-related definitions. By the standard of CPE, Red Hat and CentOS are very much not "the same". Because the security-auditing tool I was using (`oscap`) leverages CPEs and because the CentOS maintainers simply repackage the Red Hat furnished security profiles without updating the CPE call-outs, first, the security tool fails horribly. Every test comes back as "notapplicable".
To fix this situation, a bit of `sed`-fu is required:
mv /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml-DIST && \ cp /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml-DIST \ /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml && \ sed -i '{ s#Red Hat Enterprise Linux 6#CentOS 6##g s#cpe:/o:redhat:enterprise_linux:6#cpe:/o:centos:centos:6##g }' /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml mv /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml-DIST && \ cp /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml-DIST \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml && \ sed -i \ 's#cpe:/o:redhat:enterprise_linux#cpe:/o:centos:centos##g' \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Once the above is done, running `oscap` actually produces useful results.
NOTE: Ironically, doing the above edits will cause the various SCAP profiles to flag an error when running the tests that verify that RPMs have been unaltered. I've submitted a bug to the CentOS group so these fixes are included in future versions of the CentOS OpenSCAP RPMs, but, until then, you just need to be aware that the `oscap` tool will flag the above two files.
...And if you found this page because you're trying to figure out how to run `oscap` to get results, here's a sample invocation that should act as a starting-point:
oscap xccdf eval --profile common --report \ /var/tmp/oscap-report_`date "+%Y%m%d%H%M"`.html \ --results /var/tmp/oscap-results_`date "+%Y%m%d%H%M"`.xml\ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml