[Open-scap] Open SCAP with RHEL5 USGCB content (UNCLASSIFIED)

[Shaw, Ray V CTR (US)]

Classification: UNCLASSIFIED
Caveats: NONE

Not sure if anyone else is still exploring this (I see one thread from June
regarding this content), but I did a comparison of SPAWAR SCC and Open SCAP
0.9.2 scanning a RHEL5 system using the RHEL5 USGCB 1.0.5.0 XCCDF content.

I had to strip the platform information; attempting to specify the
dictionary with --cpe gave me an error with this content.  I had to use
something slightly different, because they have a commented-out platform
line in the content, and the comment spans lines, and well...it gets messy
if I use the previous sed statement.  But this works (and should hopefully
work for other things as well):

perl -p -i -e 's/[^<!--]<platform.*[^-->]$//g'
/opt/scc/Resources/Content/USGCB-RHEL5-1.0.5.0/usgcb-rhel5desktop-xccdf.xml 

I then scanned it using the following:

oscap xccdf eval --profile "united_states_government_configuration_baseline"
--results `hostname`_desktop.xml --report `hostname`_desktop.html
/opt/scc/Resources/Content/USGCB-RHEL5-1.0.5.0/usgcb-rhel5desktop-xccdf.xml

YMMV; for me, the results were extremely close.  The primary differences I
noticed were that all of the "Ensure <x> has its own partition" checks were
"not selected" by Open SCAP (SCC marked them as "failed", which is correct
for this particular test system):

CCE-14011-1
CCE-14161-4
CCE-14171-3
CCE-14559-9
CCE-14777-7

Also, "Ensure software is up to date" resulted in "notchecked" on Open SCAP
and "error" on SCC.

--
Ray Shaw
Contractor, STG
Unix support, Army Research Labs

Classification: UNCLASSIFIED
Caveats: NONE


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5621 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20121127/52b547a8/attachment.bin>