[Open-scap] "No TestResult" error with oscap xccdf generate fix

Simon Lukasik slukasik at redhat.com
Tue Feb 5 12:20:55 UTC 2013 

On 02/02/2013 05:46 AM, Shawn Wells wrote:
> I am playing around with generating fix scripts from XCCDF content and I
> am receiving a "No TestResult" error. Here is the process and commands
> I'm using, could anybody point me in the right direction?
> 
> My versions:
>> $ cat /etc/redhat-release ; rpm -qv openscap openscap-utils
>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>> openscap-0.9.2-1.el6.x86_64
>> openscap-utils-0.9.2-1.el6.x86_64
> 
> 
> Within my XCCDF I have:
>> <Rule id="install_aide" severity="medium" selected="false">
>> .......
>> <fix system="urn:xccdf:fix:script:bash">yum install aide</fix>
>> .......
>> </Rule>
> 
> I run a scan:
>> oscap xccdf eval --profile stig-rhel6-server \
>> --results /tmp/stig-results.xml \
>> --report /tmp/stig-results.html \
>> --oval-results \
>> --cpe
>> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml
>> \
>> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml
>> ........... 
> 
> And within my results file (/tmp/stig-results.xml):
>> <rule-result idref="install_aide" time="2013-02-01T16:51:03"
>> severity="medium" weight="1.000000">
>>       <result>pass</result>
>>       <ident system="http://cce.mitre.org">CCE-27024-9</ident>
>>       <fix xmlns:xhtml="http://www.w3.org/1999/xhtml"
>> system="urn:xccdf:fix:script:bash">yum install aide</fix>
>>       <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>>         <check-content-ref name="oval:ssg:def:1331"
>> href="ssg-rhel6-oval.xml"/>
>>       </check>
>>     </rule-result> 
> 
> I then run the following to generate the fix script and receive the "No
> TestResult" error:
>> ## Attempt from results file
>> $ oscap xccdf generate fix --result-id "install_aide"
>> /tmp/stig-results.xml
>> No TestResult 'install_aide'. Aborting.
>>
>> ## Attempt from my XCCDF content
>> $ oscap xccdf generate fix --result-id "install_aide" ssg-rhel6-xccdf.xml
>> No TestResult 'install_aide'. Aborting.
> 
> If I change <result> to "fail" within my results file I still receive
> the error. Any guidance is appreciated!
>

Hello Shawn,

The

	oscap xccdf generate fix

does not take rule-result/@idref, but TestResult/@id. TestResult is
high-level XCCDF element.

        $ oscap xccdf generate fix --help | grep result-id
   --result-id <id>     	 - Fixes will be generated for failed
rule-results of the specified TestResult.

At this time you are unable to generate fix for a single rule-result. We
are aware of some of generate-fix deficiencies and we are currently
improving fix/remediation processing.

Best Regards,

-- 
Simon Lukasik
Security Technologies

More information about the Open-scap-list mailing list