[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)

[Shaw, Ray V CTR (US)]

Classification: UNCLASSIFIED
Caveats: NONE

I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package).  This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):

oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml

and the DISA RHEL5 STIG content:

oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml

Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing.  This happens with both sets of content.  If I downgrade to 0.9.0, it all works again.

I have also just tried the 0.9.2 RPMs available via the epel-6-openscap repo, and they have the same behavior.

(I guess in theory, the RHEL5 STIG is not "supposed to" be used on RHEL6; SCC tells me it doesn't apply to my platform when I try.  But I need to scan RHEL6 systems with something to prepare for inspections, and that seems like the best fit.  And I would definitely expect the scap-security-guide content to work.)

Is anyone successfully scanning using this content with 0.9.1/0.9.2 on RHEL6?  I'm running RHEL6.3 with the most recent updates, using the 0.1-6 RPM provided on the scap-security-guide download page, and the latest DISA STIG content.

Thanks,

--
Ray Shaw
Contractor, STG
Unix support, Army Research Labs


Classification: UNCLASSIFIED
Caveats: NONE