[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)
Shaw, Ray V CTR (US)
ray.v.shaw.ctr at mail.mil
Tue Nov 20 15:19:48 UTC 2012
Classification: UNCLASSIFIED
Caveats: NONE
I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package). This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):
oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml
and the DISA RHEL5 STIG content:
oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing. This happens with both sets of content. If I downgrade to 0.9.0, it all works again.
I have also just tried the 0.9.2 RPMs available via the epel-6-openscap repo, and they have the same behavior.
(I guess in theory, the RHEL5 STIG is not "supposed to" be used on RHEL6; SCC tells me it doesn't apply to my platform when I try. But I need to scan RHEL6 systems with something to prepare for inspections, and that seems like the best fit. And I would definitely expect the scap-security-guide content to work.)
Is anyone successfully scanning using this content with 0.9.1/0.9.2 on RHEL6? I'm running RHEL6.3 with the most recent updates, using the 0.1-6 RPM provided on the scap-security-guide download page, and the latest DISA STIG content.
Thanks,
--
Ray Shaw
Contractor, STG
Unix support, Army Research Labs
Classification: UNCLASSIFIED
Caveats: NONE
More information about the Open-scap-list
mailing list