[Open-scap] Discrepancy in STIG compliance results between oval and xccdf scans
Peter Vrabec
pvrabec at redhat.com
Wed Sep 26 08:38:01 UTC 2012
Hi Simon,
sorry but I don't understand your approach with:
# oscap xccdf eval --profile MAC-3_Sensitive --results xccdf_out.xml
U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml com.redhat.rhsa-all.xml
What is intention of combining U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
and com.redhat.rhsa-all.xml?
--------
If you want to eval any xccdf.xml the simplest way how to achieve that is
# oscap xccdf eval --profile MAC-3_Sensitive --results xccdf_out.xml
U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
oval files referenced from U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml are
searched in U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml path. If you want
to pass oval files from different directory you can do this:
# oscap xccdf eval --profile MAC-3_Sensitive --results xccdf_out.xml
U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
custom/U_RedHat_5_V1R0.6_STIG_Benchmark-oval.xml
------
# oscap oval eval --results oval-results.xml
U_RedHat_5-V1R1_STIG_Benchmark-oval.xml com.redhat.rhsa-all.xml
This usage of oscap tool won't evalaute com.redhat.rhsa-all.xml because
"eval" operation accepts only one oval file as input.
-----
I hope I helped a bit. Please don't hesitate to blame man page,
documentation. We want to improve this stuff if it's not useful/clear
for users.
Peter.
On 09/25/2012 08:19 PM, Simon Sekidde wrote:
> Hello,
>
> I am running oscap to scan server fro STIG compliance on RHEL 5
>
> Currently testing with the epel openscap packages:
>
> # rpm -qa | grep openscap\*
> openscap-devel-0.8.5-1.el5
> openscap-debuginfo-0.8.5-1.el5
> openscap-python-0.8.5-1.el5
> openscap-utils-0.8.5-1.el5
> openscap-0.8.5-1.el5
> openscap-perl-0.8.5-1.el5
> openscap-extra-probes-0.8.5-1.el5
>
> SCAP Benchmarks are from here: http://iase.disa.mil/stigs/os/unix/red_hat.html
> OVAL patch definitions: http://www.redhat.com/security/data/oval/
>
> However, there is a discrepancy in the results from both these tests:
>
> # oscap oval eval --results oval-results.xml U_RedHat_5-V1R1_STIG_Benchmark-oval.xml com.redhat.rhsa-all.xml com.redhat.rhsa-all.xml
>
> Shows all results (true|false|not applicable).
>
> ...
> |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
> | OVAL ID | Result | Class | Reference ID | Title | |
> |-------------------------------------+---------------------+-----------------+------------------------+--------------------------------------------------| |
> | oval:mil.disa.fso.rhel:def:99 | true | compliance | |The /etc/nsswitch.conf file must be group-owned by| |
> | | | | |root, bin or sys | |
> |-------------------------------------+---------------------+-----------------+------------------------+--------------------------------------------------| |
> | oval:mil.disa.fso.rhel:def:98 | true | compliance | |The /etc/nsswitch.conf file must be owned by | |
> | | | | |root. | |
>
|-------------------------------------+---------------------+-----------------+------------------------+--------------------------------------------------|
|
> | oval:mil.disa.fso.rhel:def:97 | true | compliance | |The /etc/hosts file must have mode 0644. | |
> |-------------------------------------+---------------------+-----------------+------------------------+--------------------------------------------------|
> ....
>
> # oscap xccdf eval --profile MAC-3_Sensitive --results xccdf_out.xml U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml com.redhat.rhsa-all.xml
>
> Everything returns as notchecked:
>
> Rule ID: SV-37203r1_rule
> Title: The system must disable accounts after three consecutive unsuccessful login attempts.
> Result: notchecked
>
> Rule ID: SV-37374r1_rule
> Title: The system must prevent the root account from directly logging in except from the system console.
> Result: notchecked
>
> Rule ID: SV-27270r1_rule
> Title: Auditing must be implemented.
> Result: notchecked
> ...
>
> Is there a reason all the xccdf results return notchecked?
>
More information about the Open-scap-list
mailing list