[Open-scap] OSCAP Debug Pointers

Simon Lukasik slukasik at redhat.com
Mon Dec 16 12:23:13 UTC 2013 

On 12/13/2013 07:58 PM, Matthew Mariani wrote:
> Hi Simon, 
> Thanks.  
> 

Hello Matthew,

> First, on this page http://www.open-scap.org/page/Debug, where are commands like 'configure' and 'run' found, as in lines like "./configure --enable-debug && make".  
> My build process was to git the oscap repo, then run a Make in the scap-security-guide directory below.  I'm seeing how to run 'configure' in this build model.    
>   [root at rhel6client scap-security-guide]# ls
>   docs  Fedora  JBossEAP5  JBossFuse6  LICENSE  Makefile  OpenStack  README  RHEL6  RHEVM3  scap-security-guide.spec

The configure shell script should be found in your openscap directory.
Not the directory of scap-security-guide.

Please use autogen.sh to generate configure script for you, if you are
making oscap from git.

   $ ./autogen.sh
   $ ./configure --enable-debug

> 
> Attached are 1.) my XCCDF (package_checks.xml) in ..../RHEL6/input/system/software that calls 2.) my OVAL in .../RHEL6/input/checks (check_for_nonRH_packages.xml).  I then built a simple profile to call just the ccp_check_for_nonRH_packages OVAL rule, along with a couple others.  
> 
> Results in the following error:
> [root at rhel6client ~]# ./run_rht_scap_new 
> Title   Check for Non-RH Signed Pacakages
> Rule    ccp_check_for_nonRH_packages
> Ident   (null)
> Result  unknown
> 
> OpenSCAP Error: No definition with ID: oval:ssg:def:3121 in result model. [oval_agent.c:180]
> [root at rhel6client ~]# 
> [root at rhel6client ~]# grep "oval:ssg:def:3121" projects/scap-security-guide/RHEL6/output/ssg-rhel6-oval.xml 
>     <definition class="compliance" id="oval:ssg:def:3121" version="1">
> [root at rhel6client ~]# 
> 
> Hope this helps.  Again, it's great to debug this, but really I'm hoping to learn >how< to debug.

Debugging messages appear in the working directory in files named
oscap_debug.log.{pid}.

Also, it often helps to reduce reproducer to absolute minimum. -> Start
with whole XCCDF content, than try to carve out any unrelated rules.
Make sure that you still see the problem. Then look at OVAL definition
and carve out anything unrelated.

Hope this helps,

-- 
Simon Lukasik
Security Technologies

More information about the Open-scap-list mailing list