[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)
Simon Lukasik
slukasik at redhat.com
Tue Nov 20 15:50:37 UTC 2012
On 11/20/2012 04:19 PM, Shaw, Ray V CTR (US) wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package). This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):
>
> oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml
>
> and the DISA RHEL5 STIG content:
>
> oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
>
> Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing.
This is because that content defines cpe platform, while the scanner
does not know how to interpret it. Thus, the rules become notapplicable.
You can use --cpe command-line argument to define cpe:
$ oscap xccdf eval --cpe ssg-rhel6-cpe-dictionary.xml \
ssg-rhel6-xccdf.xml
As increasing number of users reports this issue, we are thinking about
having some default cpe dictionary shipped within the scanner.
In the meantime, please use the --cpe argument or remove the <platform>
element from the benchmark (as suggested earlier in the thread).
Regards,
--
Simon Lukasik
Security Technologies
More information about the Open-scap-list
mailing list