[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)

Shawn Wells shawn at redhat.com
Tue Nov 20 18:20:11 UTC 2012 

On 11/20/12 10:50 AM, Simon Lukasik wrote:
> On 11/20/2012 04:19 PM, Shaw, Ray V CTR (US) wrote:
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package).  This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):
>>
>> oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml
>>
>> and the DISA RHEL5 STIG content:
>>
>> oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
>>
>> Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing.
> This is because that content defines cpe platform, while the scanner
> does not know how to interpret it. Thus, the rules become notapplicable.
> You can use --cpe command-line argument to define cpe:
>
>   $ oscap xccdf eval --cpe ssg-rhel6-cpe-dictionary.xml \
> 	ssg-rhel6-xccdf.xml
>
> As increasing number of users reports this issue, we are thinking about
> having some default cpe dictionary shipped within the scanner.
>
> In the meantime, please use the --cpe argument or remove the <platform>
> element from the benchmark (as suggested earlier in the thread).

I'll document the need for --cpe within the SSG README file this 
afternoon to re-enforce this behavior.

Question: In the 0.9.2 release note [1] it was mentioned that the --cpe 
option autodetects what CPE dictionary to use. I haven't been able to 
explore the 0.9.2 release yet, however will that solve this issue? 
Specifically since the SSG content follows a standard ssg-rhel6-{xccdf 
cpe oval}.xml naming scheme will OpenSCAP 0.9.2 pickup the CPE file?


[1] 
https://www.redhat.com/archives/open-scap-list/2012-November/msg00008.html

More information about the Open-scap-list mailing list